You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@metron.apache.org by mm...@apache.org on 2017/04/18 20:16:14 UTC

incubator-metron git commit: METRON-849: Add 'reason' to threat triage risk level rules doc (mmiklavc) closes apache/incubator-metron#529

Repository: incubator-metron
Updated Branches:
  refs/heads/master e6992d568 -> eb08d145f


METRON-849: Add 'reason' to threat triage risk level rules doc (mmiklavc) closes apache/incubator-metron#529


Project: http://git-wip-us.apache.org/repos/asf/incubator-metron/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-metron/commit/eb08d145
Tree: http://git-wip-us.apache.org/repos/asf/incubator-metron/tree/eb08d145
Diff: http://git-wip-us.apache.org/repos/asf/incubator-metron/diff/eb08d145

Branch: refs/heads/master
Commit: eb08d145f00166ab73316714f96fdb8d53de0f79
Parents: e6992d5
Author: mmiklavc <mi...@gmail.com>
Authored: Tue Apr 18 14:16:06 2017 -0600
Committer: Michael Miklavcic <mi...@gmail.com>
Committed: Tue Apr 18 14:16:06 2017 -0600

----------------------------------------------------------------------
 metron-platform/metron-enrichment/README.md | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-metron/blob/eb08d145/metron-platform/metron-enrichment/README.md
----------------------------------------------------------------------
diff --git a/metron-platform/metron-enrichment/README.md b/metron-platform/metron-enrichment/README.md
index d08929b..a789f0f 100644
--- a/metron-platform/metron-enrichment/README.md
+++ b/metron-platform/metron-enrichment/README.md
@@ -1,4 +1,4 @@
-#Enrichment
+# Enrichment
 
 ## Introduction
 
@@ -29,7 +29,7 @@ There are two types of configurations at the moment, `global` and
 
 See the "[Global Configuration](../metron-common)" section.
 
-##Sensor Enrichment Configuration
+## Sensor Enrichment Configuration
 
 The sensor specific configuration is intended to configure the
 individual enrichments and threat intelligence enrichments for a given
@@ -41,7 +41,7 @@ The configuration is a complex JSON object with the following top level fields:
 * `enrichment` : A complex JSON object representing the configuration of the enrichments
 * `threatIntel` : A complex JSON object representing the configuration of the threat intelligence enrichments
 
-###The `enrichment` Configuration 
+### The `enrichment` Configuration
 
 
 | Field            | Description                                                                                                                                                                                                                   | Example                                                          |
@@ -106,7 +106,7 @@ The other way in which the stellar enrichment is somewhat more complex is in how
 ```
 We have a group called `numeric` whose stellar statements will be executed sequentially.  In parallel to that, we have the group of stellar statements under the group `text` executing.  The intent here is to allow you to not force higher latency operations to be done sequentially. You can use any name for your groupings you like. Be aware that the configuration is a map and duplicate configuration keys' values are not combined, so the duplicate configuration value will be overwritten.
 
-###The `threatIntel` Configuration 
+### The `threatIntel` Configuration
 
 | Field            | Description                                                                                                                                                                                                                                   | Example                                                                  |
 |------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|
@@ -131,6 +131,7 @@ A risk level rule is of the following format:
 * `comment` : A comment describing the rule
 * `rule` : The rule, represented as a Stellar statement
 * `score` : Associated threat triage score for the rule
+* `reason` : Reason the rule tripped. Can be represented as a Stellar statement
 
 An example of a rule is as follows:
 ```
@@ -138,8 +139,9 @@ An example of a rule is as follows:
         { 
           "name" : "is internal"
         , "comment" : "determines if the destination is internal."
-        , rule" : "IN_SUBNET(ip_dst_addr, '192.168.0.0/24')"
-        , "score" : 10 
+        , "rule" : "IN_SUBNET(ip_dst_addr, '192.168.0.0/24')"
+        , "score" : 10
+        , "reason" : "FORMAT('%s is internal', ip_dst_addr)"
         }
                        ]
 ```
@@ -150,7 +152,7 @@ The supported aggregation functions are:
 * `MEAN` : The mean of all of the associated values for matching queries
 * `POSITIVE_MEAN` : The mean of the positive associated values for the matching queries.
 
-###Example Configuration
+### Example Configuration
 
 An example configuration for the YAF sensor is as follows:
 ```json