- Review Platform and UI Requirements for Metron
Need to come up with Taxonomy for Metron so everyone is speaking the same language. Need to finalize and define terms such as:
For Rackspace, multi-tenancy requirements will be key. They will have multiple customers using shared infrastructure where data will need to flow into a single Metron cluster. So being able to identify an event associated with a specific customer are critical.
Different Personas of the users of the system include:
Junior Security Analyst
Senior Security Analyst
Customer Facing / Executives
Alerting Management Requirements
Suppress an Alert Temporarily and time based (suppress for 24 hours)
Suppress an Alert Permanently
Need examples of correlation and SIEM rules
Ability to search, pivot and build complex queries via UI (pivoting and clicking) will be important. E.g: Select a "Watchlisted Threat Alert", then click on Details, Select Destination Souce --> Right click and do Search as Source IP --> executes a Search
Approach to Requirements and Design
For Legacy SIM functionality --> Start with UI requirements and drive platform requirement
For Next Analytical functionality --> Start with Analytics and then drive UI requirement
Need to create Customer Survey and send to SOC teams to collect and prioritize requirements
From requirements, create some wireframes
With wireframes, conduct "interviews" with various SOC teams with wireframes
Iterate on requirements and wireframes.
George: Send out meeting minutes.
George: Send out shared doc for Customer Survey
George: Schedule weekly Requirements meeting invite every Thursday from 9 CST - 10:30 CST
Noreen and Oskar: Meet on UI and Customer Survey , start wireframes and then publish out meeting minutes to apache metron dev team