• Review Platform and UI Requirements for Metron

Discussion items

  1. Need to come up with Taxonomy for Metron so everyone is speaking the same language. Need to finalize and define terms such as: 

    1. Event 

    2. Alert 

    3. Incident 

    4. Asset 

    5. Risk 

    6. Threat 

    7. Urgency 

  2. For Rackspace, multi-tenancy requirements will be key. They will have multiple customers using shared infrastructure where data will need to flow into a single Metron cluster. So being able to identify an event associated with a specific customer are critical. 

  3. Different Personas of the users of the system include: 

    1. Junior Security Analyst 

    2. Senior Security Analyst 

    3. Admin 

    4. Customer Facing / Executives 

  4. Alerting Management Requirements 

    1. Suppress an Alert Temporarily and time based (suppress for 24 hours) 

    2. Suppress an Alert Permanently 

  5. Need examples of correlation and SIEM rules 

  6. Ability to search, pivot and build complex queries via UI (pivoting and clicking) will be important. E.g: Select a "Watchlisted Threat Alert", then click on Details, Select Destination Souce --> Right click and do Search as Source IP --> executes  a Search 

  7. Approach to Requirements and Design 

    1. For Legacy SIM functionality --> Start with UI requirements and drive platform requirement 

    2. For Next Analytical functionality --> Start with Analytics and then drive UI requirement 

  8. What Next? 

    1. Need to create Customer Survey and send to SOC teams to collect and prioritize requirements 

    2. From requirements, create some wireframes 

    3. With wireframes, conduct "interviews" with various SOC teams with wireframes 

    4. Iterate on requirements and wireframes. 


Action items

  1. George: Send out meeting minutes. 

  2. George: Send out shared doc for Customer Survey 

  3. George: Schedule weekly Requirements meeting invite every Thursday from 9 CST - 10:30 CST 

  4. Noreen and Oskar: Meet on UI and Customer Survey , start wireframes and then publish out meeting minutes to apache metron dev team