Enrichment and Threat Intelligence
We will set a threat triage level of 10
if a message generates a outlier
score of more than 3.5. This cutoff will depend on your data and should be adjusted based
on the assumed underlying distribution. Note that under the assumptions of normality, MAD
will act as a robust estimator of the standard deviation, so the cutoff should be
considered the number of standard deviations away. For other distributions, there are
other interpretations which will make sense in the context of measuring the "degree
different". See http://eurekastatistics.com/using-the-median-absolute-deviation-to-find-outliers/
for a brief discussion of this.
Create the following in
$METRON_HOME/config/zookeeper/enrichments/mad.json
:
{ "enrichment": { "fieldMap": { "stellar" : { "config" : { "parser_score" : "OUTLIER_MAD_SCORE(OUTLIER_MAD_STATE_MERGE( PROFILE_GET( 'sketchy_mad', 'global', PROFILE_FIXED(10, 'MINUTES')) ), value)" ,"is_alert" : "if parser_score > 3.5 then true else is_alert" } } } ,"fieldToTypeMap": { } }, "threatIntel": { "fieldMap": { }, "fieldToTypeMap": { }, "triageConfig" : { "riskLevelRules" : [ { "rule" : "parser_score > 3.5", "score" : 10 } ], "aggregator" : "MAX" } } }