You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@metron.apache.org by Ali Nazemian <al...@gmail.com> on 2017/06/22 07:50:38 UTC
Treat Triage boost aggregation
Hi all,
I know there are four different Treat Triage aggregation functions we can
use for the case of triggering multiple rules. These functions are "max',
"min", "mean", "positive mean". I was wondering whether there is any way I
can implement the following logic with the Treat Triage functions for a
non-deterministic score.
In the case that a specific rule is triggered, I want to boost the final
result of Treat Triage score with a specific value. For example +20 to the
score or multiply that by a specific value!
Treat Triage is the last bolt in enrichment topology so it seems I cannot
have any additional enrichment/transformation based on the score value. Is
that right?
Regards,
Ali
Re: Treat Triage boost aggregation
Posted by Ali Nazemian <al...@gmail.com>.
I though MaaS is flexible enough to use any combination of codes we like.
It can be a machine learning model or a very deterministic model.
I have to have a look at some of our use cases in more details. I will send
an example to you.
Cheers,
Ali
On Fri, Jun 23, 2017 at 11:43 AM, Casey Stella <ce...@gmail.com> wrote:
> Actually, and I am shocked to find myself saying this, MaaS won't help you
> here. ;) I don't think the current system can encode your desire. Just in
> case I'm being dense, though, would you give us a concrete example with
> some rules and how you'd like the score aggregated?
>
> On Thu, Jun 22, 2017 at 8:07 PM, Ali Nazemian <al...@gmail.com>
> wrote:
>
>> Thanks, Casey and Nick. Is there any way that we can somehow overcome
>> this requirement with the current features? Exclude MAAS.
>>
>> On Thu, Jun 22, 2017 at 11:42 PM, Nick Allen <ni...@nickallen.org> wrote:
>>
>>> Ali -
>>>
>>> Here are some issues in JIRA related to this topic. Feel free to add
>>> commentary or specifics of your use case to either of these issues.
>>> Feedback will only help improve the final result.
>>>
>>> https://issues.apache.org/jira/browse/METRON-683
>>> https://issues.apache.org/jira/browse/METRON-685
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> On Thu, Jun 22, 2017 at 9:31 AM, Casey Stella <ce...@gmail.com>
>>> wrote:
>>>
>>>> That's correct that it's the last step. Honestly, the threat triage
>>>> functions were added prior to Stellar really being a thing. We should
>>>> allow arbitrary stellar statements in there rather than a fixed approach,
>>>> so it's pluggable.
>>>>
>>>> On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <al...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I know there are four different Treat Triage aggregation functions we
>>>>> can use for the case of triggering multiple rules. These functions are
>>>>> "max', "min", "mean", "positive mean". I was wondering whether there is any
>>>>> way I can implement the following logic with the Treat Triage functions for
>>>>> a non-deterministic score.
>>>>>
>>>>> In the case that a specific rule is triggered, I want to boost the
>>>>> final result of Treat Triage score with a specific value. For example +20
>>>>> to the score or multiply that by a specific value!
>>>>>
>>>>> Treat Triage is the last bolt in enrichment topology so it seems I
>>>>> cannot have any additional enrichment/transformation based on the score
>>>>> value. Is that right?
>>>>>
>>>>> Regards,
>>>>> Ali
>>>>>
>>>>
>>>>
>>>
>>
>>
>> --
>> A.Nazemian
>>
>
>
--
A.Nazemian
Re: Treat Triage boost aggregation
Posted by Casey Stella <ce...@gmail.com>.
Actually, and I am shocked to find myself saying this, MaaS won't help you
here. ;) I don't think the current system can encode your desire. Just in
case I'm being dense, though, would you give us a concrete example with
some rules and how you'd like the score aggregated?
On Thu, Jun 22, 2017 at 8:07 PM, Ali Nazemian <al...@gmail.com> wrote:
> Thanks, Casey and Nick. Is there any way that we can somehow overcome this
> requirement with the current features? Exclude MAAS.
>
> On Thu, Jun 22, 2017 at 11:42 PM, Nick Allen <ni...@nickallen.org> wrote:
>
>> Ali -
>>
>> Here are some issues in JIRA related to this topic. Feel free to add
>> commentary or specifics of your use case to either of these issues.
>> Feedback will only help improve the final result.
>>
>> https://issues.apache.org/jira/browse/METRON-683
>> https://issues.apache.org/jira/browse/METRON-685
>>
>>
>> Thanks
>>
>>
>>
>> On Thu, Jun 22, 2017 at 9:31 AM, Casey Stella <ce...@gmail.com> wrote:
>>
>>> That's correct that it's the last step. Honestly, the threat triage
>>> functions were added prior to Stellar really being a thing. We should
>>> allow arbitrary stellar statements in there rather than a fixed approach,
>>> so it's pluggable.
>>>
>>> On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <al...@gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I know there are four different Treat Triage aggregation functions we
>>>> can use for the case of triggering multiple rules. These functions are
>>>> "max', "min", "mean", "positive mean". I was wondering whether there is any
>>>> way I can implement the following logic with the Treat Triage functions for
>>>> a non-deterministic score.
>>>>
>>>> In the case that a specific rule is triggered, I want to boost the
>>>> final result of Treat Triage score with a specific value. For example +20
>>>> to the score or multiply that by a specific value!
>>>>
>>>> Treat Triage is the last bolt in enrichment topology so it seems I
>>>> cannot have any additional enrichment/transformation based on the score
>>>> value. Is that right?
>>>>
>>>> Regards,
>>>> Ali
>>>>
>>>
>>>
>>
>
>
> --
> A.Nazemian
>
Re: Treat Triage boost aggregation
Posted by Ali Nazemian <al...@gmail.com>.
Thanks, Casey and Nick. Is there any way that we can somehow overcome this
requirement with the current features? Exclude MAAS.
On Thu, Jun 22, 2017 at 11:42 PM, Nick Allen <ni...@nickallen.org> wrote:
> Ali -
>
> Here are some issues in JIRA related to this topic. Feel free to add
> commentary or specifics of your use case to either of these issues.
> Feedback will only help improve the final result.
>
> https://issues.apache.org/jira/browse/METRON-683
> https://issues.apache.org/jira/browse/METRON-685
>
>
> Thanks
>
>
>
> On Thu, Jun 22, 2017 at 9:31 AM, Casey Stella <ce...@gmail.com> wrote:
>
>> That's correct that it's the last step. Honestly, the threat triage
>> functions were added prior to Stellar really being a thing. We should
>> allow arbitrary stellar statements in there rather than a fixed approach,
>> so it's pluggable.
>>
>> On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <al...@gmail.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> I know there are four different Treat Triage aggregation functions we
>>> can use for the case of triggering multiple rules. These functions are
>>> "max', "min", "mean", "positive mean". I was wondering whether there is any
>>> way I can implement the following logic with the Treat Triage functions for
>>> a non-deterministic score.
>>>
>>> In the case that a specific rule is triggered, I want to boost the final
>>> result of Treat Triage score with a specific value. For example +20 to the
>>> score or multiply that by a specific value!
>>>
>>> Treat Triage is the last bolt in enrichment topology so it seems I
>>> cannot have any additional enrichment/transformation based on the score
>>> value. Is that right?
>>>
>>> Regards,
>>> Ali
>>>
>>
>>
>
--
A.Nazemian
Re: Treat Triage boost aggregation
Posted by Nick Allen <ni...@nickallen.org>.
Ali -
Here are some issues in JIRA related to this topic. Feel free to add
commentary or specifics of your use case to either of these issues.
Feedback will only help improve the final result.
https://issues.apache.org/jira/browse/METRON-683
https://issues.apache.org/jira/browse/METRON-685
Thanks
On Thu, Jun 22, 2017 at 9:31 AM, Casey Stella <ce...@gmail.com> wrote:
> That's correct that it's the last step. Honestly, the threat triage
> functions were added prior to Stellar really being a thing. We should
> allow arbitrary stellar statements in there rather than a fixed approach,
> so it's pluggable.
>
> On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <al...@gmail.com>
> wrote:
>
>> Hi all,
>>
>> I know there are four different Treat Triage aggregation functions we can
>> use for the case of triggering multiple rules. These functions are "max',
>> "min", "mean", "positive mean". I was wondering whether there is any way I
>> can implement the following logic with the Treat Triage functions for a
>> non-deterministic score.
>>
>> In the case that a specific rule is triggered, I want to boost the final
>> result of Treat Triage score with a specific value. For example +20 to the
>> score or multiply that by a specific value!
>>
>> Treat Triage is the last bolt in enrichment topology so it seems I cannot
>> have any additional enrichment/transformation based on the score value. Is
>> that right?
>>
>> Regards,
>> Ali
>>
>
>
Re: Treat Triage boost aggregation
Posted by Casey Stella <ce...@gmail.com>.
That's correct that it's the last step. Honestly, the threat triage
functions were added prior to Stellar really being a thing. We should
allow arbitrary stellar statements in there rather than a fixed approach,
so it's pluggable.
On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <al...@gmail.com> wrote:
> Hi all,
>
> I know there are four different Treat Triage aggregation functions we can
> use for the case of triggering multiple rules. These functions are "max',
> "min", "mean", "positive mean". I was wondering whether there is any way I
> can implement the following logic with the Treat Triage functions for a
> non-deterministic score.
>
> In the case that a specific rule is triggered, I want to boost the final
> result of Treat Triage score with a specific value. For example +20 to the
> score or multiply that by a specific value!
>
> Treat Triage is the last bolt in enrichment topology so it seems I cannot
> have any additional enrichment/transformation based on the score value. Is
> that right?
>
> Regards,
> Ali
>