[jira] [Updated] (METRON-170) Ability for metron users to author rules (Queries) to generate alerts without deploying code (Batch Rules Engine)

Wed, 01 Jun 2016 23:05:11 -0700 

     [ 
https://issues.apache.org/jira/browse/METRON-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James Sirota updated METRON-170:
--------------------------------
    Labels: ForwardLookingEpic elasticsearch hive ruleengine rules solr spark  
(was: elasticsearch hive ruleengine rules solr spark)

> Ability for metron users to author rules (Queries) to generate alerts without 
> deploying code (Batch Rules Engine)
> -----------------------------------------------------------------------------------------------------------------
>
>                 Key: METRON-170
>                 URL: https://issues.apache.org/jira/browse/METRON-170
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Zafer Bilaloglu
>            Priority: Critical
>              Labels: ForwardLookingEpic, elasticsearch, hive, ruleengine, 
> rules, solr, spark
>   Original Estimate: 500h
>  Remaining Estimate: 500h
>
> The primary purpose for a rules engine for Apache Metron would be to allow 
> Metron users to author rules that then generate alerts for SIC analysts to 
> investigate. Typical enterprises have hundreds of rules (dozens for each data 
> source) and need the flexibility to alter rules as needed without deploying 
> code to production.  Rules would run on a schedule in batch mode and perform 
> predefined action such as generating an alert.
> Here are some example rules we'd like to be able to run in metron with the 
> rule syntax written in SQL:
> | Rule Description |  Rule Syntax |   Schedule |
> | Mcafee epo log entry notifies us a malware delete failed |  Select * from 
> mcafee where event_description = “Malware Delete Failed”  | Run every 5 
> minutes and for new data in the previous 5 minutes. | 
> | Multiple malware events for a single user within a short period of time |   
> Select count( * ) as avcount, user from mcafee group by user, dest_ip, os 
> where category like 'av.%' and avcount > 8 | Run every 60 minutes for the 
> previous 60 minutes | 
> Users should have a front end to author rules, decide on a schedule, and 
> configure an alert priority, rule description, and the action to 
> perform(alert, e:
> Here is a sample mockup:
> !http://i.imgur.com/0sbNXPp.png!
> The batch rules engine would fire recurring queries against data at rest in 
> one of the existing Metron datastores (Solr, Hive, Elasticsearch) that will 
> then  perform predefined action such as generating an alert, running a script 
> (python), or kicking off packet capture.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to