[ https://issues.apache.org/jira/browse/METRON-170?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Sirota updated METRON-170: -------------------------------- Labels: ForwardLookingEpic elasticsearch hive ruleengine rules solr spark (was: elasticsearch hive ruleengine rules solr spark) > Ability for metron users to author rules (Queries) to generate alerts without > deploying code (Batch Rules Engine) > ----------------------------------------------------------------------------------------------------------------- > > Key: METRON-170 > URL: https://issues.apache.org/jira/browse/METRON-170 > Project: Metron > Issue Type: New Feature > Reporter: Zafer Bilaloglu > Priority: Critical > Labels: ForwardLookingEpic, elasticsearch, hive, ruleengine, > rules, solr, spark > Original Estimate: 500h > Remaining Estimate: 500h > > The primary purpose for a rules engine for Apache Metron would be to allow > Metron users to author rules that then generate alerts for SIC analysts to > investigate. Typical enterprises have hundreds of rules (dozens for each data > source) and need the flexibility to alter rules as needed without deploying > code to production. Rules would run on a schedule in batch mode and perform > predefined action such as generating an alert. > Here are some example rules we'd like to be able to run in metron with the > rule syntax written in SQL: > | Rule Description | Rule Syntax | Schedule | > | Mcafee epo log entry notifies us a malware delete failed | Select * from > mcafee where event_description = “Malware Delete Failed” | Run every 5 > minutes and for new data in the previous 5 minutes. | > | Multiple malware events for a single user within a short period of time | > Select count( * ) as avcount, user from mcafee group by user, dest_ip, os > where category like 'av.%' and avcount > 8 | Run every 60 minutes for the > previous 60 minutes | > Users should have a front end to author rules, decide on a schedule, and > configure an alert priority, rule description, and the action to > perform(alert, e: > Here is a sample mockup: > !http://i.imgur.com/0sbNXPp.png! > The batch rules engine would fire recurring queries against data at rest in > one of the existing Metron datastores (Solr, Hive, Elasticsearch) that will > then perform predefined action such as generating an alert, running a script > (python), or kicking off packet capture. -- This message was sent by Atlassian JIRA (v6.3.4#6332)