Using Stellar to Set up Threat Triage Configurations

The threat triage configuration defines conditions by associating them with scores. Because this is a per-sensor configuration, this fits nicely within the sensor enrichment configuration held in ZooKeeper. This configuration fits well within the threatIntel section of the configuration like so:

{
  ...
  ,"threatIntel" : {
            ...
           , "triageConfig" : {
                     "riskLevelRules" : {
                                 "condition1" : level1
                               , "condition2" : level2
                                  ...
                                        }
                     ,"aggregator" : "MAX"
                             }
                  }
}

riskLevelRules: Correspond to the set of condition to numeric level mappings that define the threat triage for this particular sensor.
aggregator: An aggregation function that takes all non-zero scores representing the matching queries from riskLevelRules and aggregates them into a single score.

The current supported aggregation functions are:

MAX: The maximum of all of the associated values for matching queries
MIN: The minimum of all of the associated values for matching queries
MEAN: The mean of all of the associated values for matching queries
POSITIVE_MEAN: The mean of the positive associated values for the matching queries

​Using Stellar to Set up Threat Triage Configurations

Using Stellar to Set up Threat Triage Configurations