Enrichment and Threat Intelligence
We will set a threat triage level of 10
if a message generates a
outlier score of more than 3.5. This cutoff will depend on your data and should be adjusted
based on the assumed underlying distribution. Note that under the assumptions of normality, MAD
will act as a robust estimator of the standard deviation, so the cutoff should be considered the
number of standard deviations away.
For other distributions, there are other interpretations which will make sense in the context of measuring the "degree different".
Create the following in
$METRON_HOME/config/zookeeper/enrichments/mad.json
:
{ "enrichment": { "fieldMap": { "stellar" : { "config" : { "parser_score" : "OUTLIER_MAD_SCORE(OUTLIER_MAD_STATE_MERGE( PROFILE_GET( 'sketchy_mad', 'global', PROFILE_FIXED(10, 'MINUTES')) ), value)" ,"is_alert" : "if parser_score > 3.5 then true else is_alert" } } } ,"fieldToTypeMap": { } }, "threatIntel": { "fieldMap": { }, "fieldToTypeMap": { }, "triageConfig" : { "riskLevelRules" : [ { "rule" : "parser_score > 3.5", "score" : 10 } ], "aggregator" : "MAX" } } }