get rid of the hal9000 module entirely (and the database)
use the existing observable database table to compute it's malicious %
display this value for each observable in the display
ignore whitelisted observables
display the "summary" malicious % in the upper right corner of the alert view (above the tags)
-- with a larger font size
-- color coded green (fp), gray (unsure), red (malicious)
The math behind the "summary" needs be determined. Sample size needs to be taken into account.
Keep in mind we're trying to paint the picture of "This alert is a False Positive", not "This alert is a True Positive".
The math behind the "summary" needs be determined. Sample size needs to be taken into account.
Keep in mind we're trying to paint the picture of "This alert is a False Positive", not "This alert is a True Positive".