You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Nick Allen (JIRA)" <ji...@apache.org> on 2017/02/03 14:48:51 UTC
[jira] [Updated] (METRON-686) Record Rule Set that Fired During
Threat Triage
[ https://issues.apache.org/jira/browse/METRON-686?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Allen updated METRON-686:
------------------------------
Summary: Record Rule Set that Fired During Threat Triage (was: Record of Rule Set that Fired During Threat Triage)
> Record Rule Set that Fired During Threat Triage
> -----------------------------------------------
>
> Key: METRON-686
> URL: https://issues.apache.org/jira/browse/METRON-686
> Project: Metron
> Issue Type: Improvement
> Reporter: Nick Allen
> Assignee: Nick Allen
>
> h3. Problem
> There is little transparency into the Threat Triage process itself. When Threat Triage runs, all I get is a score. I don't know how that score was arrived at, which rules were triggered, and the specific values that caused a rule to trigger.
> More specifically, there is no way to generate a message that looks like "The host 'powned.svr.bank.com' has '230' inbound flows, exceeding the threshold of '202'". This makes it difficult for an analyst to action the alert.
> h3. Proposed Solution
> To improve the transparency of the Threat Triage process, I am proposing these enhancements.
> (1) Threat Triage should attach to each message all of the rules that fired in addition to the total calculated threat triage score.
> (2) Threat Triage should allow a custom message to be generated for each rule. The custom message would allow for some form of string interpolation so that I can add specific values from each message to the generated alert. We could allow this in one or both of the new fields that Casey just added, name and comment.
> (3) The specific method of string interpolation will be implemented under a separate issue.
> h3. Example
> (1) In this example, we have a telemetry message with a field called 'value' that we need to monitor. In Enrichment, I calculate some sort of value threshold, over which an alert should be generated.
> (2) In Threat Triage, I use the calculated value threshold to alert on any message that has a value exceeding this threshold.
> (3) I can embed values from the message, like the hostname, value, and value threshold, into the alert produced by Threat Triage. Notice that I am using {noformat}${this}{noformat} for string interpolation, but it could be any syntax that we choose.
> {code}
> "triageConfig" : {
> "riskLevelRules" : [
> {
> "name" : "Abnormal Value",
> "comment" : "For ${hostname}; the value ${value} exceeds threshold of ${value_threshold}",
> "rule" : "value > value_threshold",
> "score" : 10
> }
> ],
> "aggregator" : "MAX"
> }
> {code}
> (4) The Threat Triage process today would add only the total calculated score.
> {code}
> "threat.triage.level": 10.0
> {code}
> With this proposal, Threat Triage would add the following to the message.
> Notice how each of the {noformat}${variables}{noformat} have been replaced with the actual values extracted from the message. This allows for more contextual information to action the alert.
> {code}
> "threat.triage": {
> "score": 10.0,
> "rules": [
> {
> "name": "Abnormal Value",
> "comment" : "For 10.0.0.1; the value 101 exceeds threshold of 42",
> "score" : 10
> }
> ]
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)