public static class SourceCorrelation.SourceCorrelator extends org.apache.beam.sdk.transforms.PTransform<org.apache.beam.sdk.values.PCollection<SourceCorrelation.SourceData>,org.apache.beam.sdk.values.PCollection<Alert>> implements DocumentingTransform
This transform can be used to correlate source address information from an ingestion event stream with source address information that is present in alerts generated by the pipeline.
Currently this transform is limited to ISP based correlation. Alerts are grouped by ISP based on distinct source address, and are compared with source address and ISP information grouped in a similar way from the ingestion event stream.
If at least a certain number of addresses are seen associated with a given ISP, and the percentage of these addresses that generated an alert in a fixed window exceeds the configured value, an alert is generated.
Currently uses a hardcoded fixed window value of 6 hours.
| Constructor and Description |
|---|
SourceCorrelator(HTTPRequestToggles toggles)
Initialize new SourceCorrelator
|
| Modifier and Type | Method and Description |
|---|---|
org.apache.beam.sdk.values.PCollection<Alert> |
expand(org.apache.beam.sdk.values.PCollection<SourceCorrelation.SourceData> input) |
String |
getTransformDoc()
Get documentation string from transform based on it's current configuration
|
public SourceCorrelator(HTTPRequestToggles toggles)
toggles - HTTPRequestTogglespublic String getTransformDoc()
getTransformDoc in interface DocumentingTransformpublic org.apache.beam.sdk.values.PCollection<Alert> expand(org.apache.beam.sdk.values.PCollection<SourceCorrelation.SourceData> input)
expand in class org.apache.beam.sdk.transforms.PTransform<org.apache.beam.sdk.values.PCollection<SourceCorrelation.SourceData>,org.apache.beam.sdk.values.PCollection<Alert>>Copyright © 2022. All rights reserved.