Project

General

Profile

Actions

Feature #5752

closed

Reporting based on event class knowledge

Added by Pavel Kácha about 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jan Žerdík
Category:
Development - Core
Target version:
Start date:
08/29/2019
Due date:
% Done:

0%

Estimated time:
To be discussed:
No

Description

Leverage class knowledge for specific class parts in reports. Will need to add template mechanism and suitable templates for separate class parts in reports. Will need to consider txt/html versions and translations. May be opportune to implement at least basic #5751 first.

Reasoning: we have events sorted into more detailed "classes", see CESNET-CERTS web. However, report templates are formatted the same way for all the events, so important information (for example phishing URL) stays hidden in the Idea data.


Related issues

Related to Mentat - Feature #5751: Consolidate event class configurationClosedJan Žerdík08/29/2019

Actions
Actions #1

Updated by Pavel Kácha about 3 years ago

  • Related to Feature #5751: Consolidate event class configuration added
Actions #2

Updated by Pavel Kácha almost 3 years ago

Notes from talks and meetings:

  • shorten dates (timezone, year) for narrower columns
  • add number of unique detectors, possibly into event count column like DetCnt/EvtCnt
  • fold ConnCount and FlowCount into approximate connection count column, where crude guess of missing ConnCount = FlowCount/2
  • Add ACCcount and PacketCount into anomaly-traffic.
  • Unify all Proto columns into case_insensitive_uniq(Source.*.Proto + Target.*.Proto).
  • Domain and dns are the same protocol (in fact, dns is an error of some detectors and should be coerced to domain), so Proto in vulnerable-config-domain can be removed (as in other vunerables).
  • Consider multiple rows of header in text version. (Possible problem with linebreaking in Jinja and/or translation, so just for consideration.)
Actions #3

Updated by Pavel Kácha over 2 years ago

  • Status changed from New to Closed

In fact all done within #5751, closing.

Actions #4

Updated by Jan Mach over 2 years ago

  • Target version changed from Backlog to 2.6
Actions

Also available in: Atom PDF