That's correct that it's the last step. Honestly, the threat triage functions were added prior to Stellar really being a thing. We should allow arbitrary stellar statements in there rather than a fixed approach, so it's pluggable.
On Thu, Jun 22, 2017 at 3:50 AM, Ali Nazemian <alinazem...@gmail.com> wrote: > Hi all, > > I know there are four different Treat Triage aggregation functions we can > use for the case of triggering multiple rules. These functions are "max', > "min", "mean", "positive mean". I was wondering whether there is any way I > can implement the following logic with the Treat Triage functions for a > non-deterministic score. > > In the case that a specific rule is triggered, I want to boost the final > result of Treat Triage score with a specific value. For example +20 to the > score or multiply that by a specific value! > > Treat Triage is the last bolt in enrichment topology so it seems I cannot > have any additional enrichment/transformation based on the score value. Is > that right? > > Regards, > Ali >
