AlyaGomaa
commented
4 weeks ago - some evidence had attacker ip X but profile IP Y. this is fixed in this PR.
Closed AlyaGomaa closed 4 weeks ago
AlyaGomaa
commented
4 weeks ago 
eldraco
commented
4 weeks ago But what was the problem? why it went down?
AlyaGomaa
commented
4 weeks ago here's what was happening
some detections like "malicious downloaded file" have 2 evidence, one for the src and one for the dst IP. the ProfileID of each evidence should be the profile of the attacker so, what should be happening is: 1st evidence:
2nd evidence
in all evidence the profile should be the profile of the srcip.
The issue was in some detections, I was doing
so the evidence was reported correctly in the alerts.json (with the correct src and target), but the profile is wrong (not reported to alerts.json)
so the threat level of that evidence was added to the accumulated threat level of profile 8.8.8.8 instead of profile 192.168.1.113 right? so for example if the acc threat level of the profile_192.168.1.113 is 49.9 and the accumulated threatl level of profile_8.8.8.8 is 0.1
that wrong evidence added to the accumulated threat level of profile_8.8.8.8 which was 0.1 .so it became 0.4 for example, and was reported in alerts.json as 0.4.
so in alerts.json we have some correct evidence, accumulating the threat levels normally, (e.g 5,10,20,50) and wrong evidence, accumulating the threat level of another profile (e.g 5,10,20,50, 0.4, ..), and reporting it with the correct src and target IPs.
that was the drop in the acc threat levels in the issue #1043