Understanding Enrichment
Also available as:
PDF

Using Stellar to Set up Threat Triage Configurations

The threat triage configuration defines conditions by associating them with scores.

Because this is a per-sensor configuration, this fits the sensor enrichment configuration held in ZooKeeper. This configuration fits within the threatIntel section of the configuration like so:

{
  ...
  ,"threatIntel" : {
            ...
           , "triageConfig" : {
                     "riskLevelRules" : {
                                 "condition1" : level1
                               , "condition2" : level2
                                  ...
                                        }
                     ,"aggregator" : "MAX"
                             }
                  }
}
riskLevelRules

Correspond to the set of condition to numeric level mappings that define the threat triage for this particular sensor.

aggregator

An aggregation function that takes all non-zero scores representing the matching queries from riskLevelRules and aggregates them into a single score.

The current supported aggregation functions are:

MAX

The maximum of all of the associated values for matching queries

MIN

The minimum of all of the associated values for matching queries

MEAN

The mean of all of the associated values for matching queries

POSITIVE_MEAN

The mean of the positive associated values for the matching queries