Feature #5752
closed
Reporting based on event class knowledge
Added by Pavel Kácha about 5 years ago.
Updated almost 5 years ago.
Category:
Development - Core
Description
Leverage class knowledge for specific class parts in reports. Will need to add template mechanism and suitable templates for separate class parts in reports. Will need to consider txt/html versions and translations. May be opportune to implement at least basic #5751 first.
Reasoning: we have events sorted into more detailed "classes", see CESNET-CERTS web. However, report templates are formatted the same way for all the events, so important information (for example phishing URL) stays hidden in the Idea data.
- Related to Feature #5751: Consolidate event class configuration added
Notes from talks and meetings:
- shorten dates (timezone, year) for narrower columns
- add number of unique detectors, possibly into event count column like DetCnt/EvtCnt
- fold ConnCount and FlowCount into approximate connection count column, where crude guess of missing ConnCount = FlowCount/2
- Add ACCcount and PacketCount into anomaly-traffic.
- Unify all Proto columns into case_insensitive_uniq(Source.*.Proto + Target.*.Proto).
- Domain and dns are the same protocol (in fact, dns is an error of some detectors and should be coerced to domain), so Proto in vulnerable-config-domain can be removed (as in other vunerables).
- Consider multiple rows of header in text version. (Possible problem with linebreaking in Jinja and/or translation, so just for consideration.)
- Status changed from New to Closed
In fact all done within #5751, closing.
- Target version changed from Backlog to 2.6
Also available in: Atom
PDF