Decision Maker (DM) is a ThreatIQ component that detects suspicious activity based on evidence collected from multiple sources like MOREAL metrics, MOREAL reasoning components, threat events, and vulnerability assessment scans if available.
DM utilizes two sliding windows. A 1-hour sliding window to determine the internal IPs that have recent activity and a 1-day sliding window during which relevant evidence for those internal IPs, is taken into account. On each iteration both windows are shifted by one hour.
An aggregated threat severity score is calculated by collected evidence based on multiple metrics. Metrics include threat severity indicators, risk, confidence, occurrences of MOREAL alerts and severity scores extracted from threat events types.
DM takes also into account the exact time of collected evidence, applying a “decay” factor, weighting and favoring more recent inputs within the time window.
In a nutshell, Decision Maker takes input from last 24 hours MOREAL alerts and threat events and produces alerts about internal IPs that had suspicious activity during last hour. The communications of the above mentioned internal IPs with external IPs that occurred last hour in MOREAL alerts or threat events, produce signatures about the external IPs, their corresponding protocols and ports utilized. These signatures are generated as snort rules.