[METRON-701] Triage Metrics Produced by the Profiler - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Done
Priority: Major
Resolution: Done
Affects Version/s: 0.3.1
Fix Version/s: 0.4.0
Labels:
- Profiler
- Triage

Description

Problem

The motivating example is that I would like to create an alert if the number of inbound flows to any host over a 15 minute interval is abnormal.

The value being interrogated here, the number of inbound flows, is not a static value contained within any single telemetry message. This value is calculated across multiple messages by the Profiler. The current Threat Triage process cannot be used to interrogate values calculated by the Profiler.

Proposed Solution

I am proposing that we treat the Profiler as a source of telemetry. The measurements captured by the Profiler would be enqueued into a Kafka topic. We would then treat those Profiler messages like any other telemetry. We would parse, enrich, triage, and index those messages.

This would have the following advantages.

1. We would be able to reuse the same threat triage mechanism for values calculated by the Profiler.

2. We would be able to generate profiles from the profiled data - aka meta-profiles anyone?

Attachments

Issue Links

links to

GitHub Pull Request #449

Activity

People

Assignee:: Nick Allen

Reporter:: Nick Allen

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 06/Feb/17 14:30

Updated:: 27/Jun/17 00:08

Resolved:: 06/Apr/17 15:38