[ https://issues.apache.org/jira/browse/METRON-701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854353#comment-15854353 ]
Nick Allen commented on METRON-701: ----------------------------------- The primary tasks for this JIRA include the following. # Write Profile Measurements to Kafka (in addition to HBase) # Consume Profile Measurements as an additional source of telemetry # Create a mechanism to prevent infinite looping of the Profile Measurements > Triage Metrics Produced by the Profiler > --------------------------------------- > > Key: METRON-701 > URL: https://issues.apache.org/jira/browse/METRON-701 > Project: Metron > Issue Type: Improvement > Reporter: Nick Allen > Assignee: Nick Allen > > h3. Problem > The motivating example is that I would like to create an alert if the number > of inbound flows to any host over a 15 minute interval is abnormal. > The value being interrogated here, the number of inbound flows, is not a > static value contained within any single telemetry message. This value is > calculated across multiple messages by the Profiler. The current Threat > Triage process cannot be used to interrogate values calculated by the > Profiler. > h3. Proposed Solution > I am proposing that we treat the Profiler as a source of telemetry. The > measurements captured by the Profiler would be enqueued into a Kafka topic. > We would then treat those Profiler messages like any other telemetry. We > would parse, enrich, triage, and index those messages. > This would have the following advantages. > 1. We would be able to reuse the same threat triage mechanism for values > calculated by the Profiler. > 2. We would be able to generate profiles from the profiled data - aka > meta-profiles anyone? -- This message was sent by Atlassian JIRA (v6.3.15#6346)