New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ASM] - Expandr 4735 #27951
Merged
Merged
[ASM] - Expandr 4735 #27951
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Update ranking algorithm for Service Ownership Currently, we score and return all owners in ${alert.asmserviceowner} in sorted owners; instead, we want ${alert.asmserviceowner} to contain a smaller, high-confidence set of owners that we would be comfortable notifying via email. Test plan: pytest + manual testing in tenant * Add release notes * Verify hyperparameters and update docs * Add unit test for value-checking in _get_k * Update release notes * Manually apply diff in output of pre-commit check: use built-ins for type hints, set generators --------- Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com>
content-bot
added
Contribution
Thank you! Contributions are always welcome!
docs-approved
ready-for-instance-test
In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR.
Contribution Form Filled
Whether contribution form filled or not.
Community
pending-contributor
The PR is pending the response of its creator
Xsoar Support Level
Indicates that the contribution is for XSOAR supported pack
labels
Jul 6, 2023
michal-dagan
approved these changes
Jul 6, 2023
xsoar-bot
pushed a commit
to xsoar-contrib/content
that referenced
this pull request
Jul 26, 2023
* Update ranking algorithm for Service Ownership Currently, we score and return all owners in ${alert.asmserviceowner} in sorted owners; instead, we want ${alert.asmserviceowner} to contain a smaller, high-confidence set of owners that we would be comfortable notifying via email. Test plan: pytest + manual testing in tenant * Add release notes * Verify hyperparameters and update docs * Add unit test for value-checking in _get_k * Update release notes * Manually apply diff in output of pre-commit check: use built-ins for type hints, set generators --------- Co-authored-by: kball-pa <131012047+kball-pa@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com>
xsoar-bot
pushed a commit
to xsoar-contrib/content
that referenced
this pull request
Aug 2, 2023
* Update ranking algorithm for Service Ownership Currently, we score and return all owners in ${alert.asmserviceowner} in sorted owners; instead, we want ${alert.asmserviceowner} to contain a smaller, high-confidence set of owners that we would be comfortable notifying via email. Test plan: pytest + manual testing in tenant * Add release notes * Verify hyperparameters and update docs * Add unit test for value-checking in _get_k * Update release notes * Manually apply diff in output of pre-commit check: use built-ins for type hints, set generators --------- Co-authored-by: kball-pa <131012047+kball-pa@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com>
xsoar-bot
pushed a commit
to xsoar-contrib/content
that referenced
this pull request
Aug 2, 2023
* Update ranking algorithm for Service Ownership Currently, we score and return all owners in ${alert.asmserviceowner} in sorted owners; instead, we want ${alert.asmserviceowner} to contain a smaller, high-confidence set of owners that we would be comfortable notifying via email. Test plan: pytest + manual testing in tenant * Add release notes * Verify hyperparameters and update docs * Add unit test for value-checking in _get_k * Update release notes * Manually apply diff in output of pre-commit check: use built-ins for type hints, set generators --------- Co-authored-by: kball-pa <131012047+kball-pa@users.noreply.github.com> Co-authored-by: michal-dagan <109464765+michal-dagan@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Community
Contribution Form Filled
Whether contribution form filled or not.
Contribution
Thank you! Contributions are always welcome!
docs-approved
pending-contributor
The PR is pending the response of its creator
ready-for-instance-test
In contribution PRs, this label will cause a trigger of a build with a modified pack from the PR.
Xsoar Support Level
Indicates that the contribution is for XSOAR supported pack
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Original External PR
external pull request
Contributor
@kball-pa
Contributing to Cortex XSOAR Content
Make sure to register your contribution by filling the contribution registration form
The Pull Request will be reviewed only after the contribution registration form is filled.
Status
Related Issues
https://jira-hq.paloaltonetworks.local/browse/EXPANDR-4735
Description
Currently, we score and return all owners in ${alert.asmserviceowner} in sorted order. Some of these may be service accounts or other low-confidence users/owners that we don't want to notify.
This PR implements a ranking algorithm for Service Ownership that tries to find a smaller (targeting roughly ~5), high-confidence set of owners that we would be comfortable notifying via email. After the Service Ownership playbook runs, ${alert.asmserviceowner} will contain this smaller, high-confidence set, while ${alert.asmserviceownerunrankedraw} will contain the full set of (deduplicated) owners pulled during enrichment.
See unit tests for detailed specification for how the ranking algorithm works.
Test plan: pytest + manual testing in tenant (see JIRA ticket)
Minimum version of Cortex XSOAR
Does it break backward compatibility?
Must have