docs: update for event flow

Sandy-at-Tazama · Sandy-at-Tazama · commit c5777966ab6c · 2024-11-10T17:24:56.000+02:00
diff --git a/Product/complete-example-of-a-network-map.md b/Product/complete-example-of-a-network-map.md
@@ -3,37 +3,37 @@
 # Complete example of a network map
 
 ```
-    {
-        "active": true,
-        "cfg": "1.0.0",
-        "messages": [
-            {
-                "id": "004@1.0.0",
-                "cfg": "1.0.0",
-                "txTp": "pacs.002.001.12",
-                "typologies": [
-                    {
-                        "id": "typology-processor@1.0.0",
-                        "cfg": "001@1.0.0",
-                        "rules": [
-                            {
-                                "id": "006@1.0.0",
-                                "cfg": "1.0.0"
-                            },
-                            {
-                                "id": "078@1.0.0",
-                                "cfg": "1.0.0"
-                            },
-                            {
-                                "id": "EFRuP@1.0.0",
-                                "cfg": "none"
-                            }
-                        ]
-                    }
-                ]
-            }
-        ]
-    }
+{
+    "active": true,
+    "cfg": "1.0.0",
+    "messages": [
+        {
+            "id": "004@1.0.0",
+            "cfg": "1.0.0",
+            "txTp": "pacs.002.001.12",
+            "typologies": [
+                {
+                    "id": "typology-processor@1.0.0",
+                    "cfg": "001@1.0.0",
+                    "rules": [
+                        {
+                            "id": "006@1.0.0",
+                            "cfg": "1.0.0"
+                        },
+                        {
+                            "id": "078@1.0.0",
+                            "cfg": "1.0.0"
+                        },
+                        {
+                            "id": "EFRuP@1.0.0",
+                            "cfg": "none"
+                        }
+                    ]
+                }
+            ]
+        }
+    ]
+}
 ```
 
 This network map executes two rule processors (006 and 078) when a pacs.002 transaction is received and summarizes the rule results into typology 001.  The event flow rule processor (EFRuP) is also configured in this typology.
diff --git a/Product/complete-example-of-a-rule-processor-configuration.md b/Product/complete-example-of-a-rule-processor-configuration.md
@@ -2,9 +2,9 @@
 
 # Complete example of a rule processor configurations
 
-## A “banded” rule configuration:
+## A "banded" rule configuration:
 
-```
+```JSON
 {
     "id": "006@1.0.0",
     "cfg": "1.0.0",
@@ -46,9 +46,9 @@
   }
 ```
 
-## A “cased" rule configuration
+## A "cased" rule configuration
 
-```
+```JSON
 {
     "id": "078@1.0.0",
     "cfg": "1.0.0",
@@ -83,7 +83,7 @@
 
 ## EFRuP rule configuration
 
-```
+```JSON
 {
     "id": "EFRuP@1.0.0",
     "cfg": "none",
diff --git a/Product/complete-example-of-a-typology-processor-configuration.md b/Product/complete-example-of-a-typology-processor-configuration.md
@@ -6,7 +6,7 @@ Building on the example rule configurations provided here:
 
 [Complete example of a rule processor configuration](/product/complete-example-of-a-rule-processor-configuration.md)
 
-## Typology configuration for a typology with two rules
+## Typology configuration for a typology with two rules plus the event flow rule processor
 
 ```JSON
 {
diff --git a/Product/configuration-management.md b/Product/configuration-management.md
@@ -1,8 +1,7 @@
 <!-- SPDX-License-Identifier: Apache-2.0 -->
 
-# Configuration management
- [TL;DR](#tldr)
-- [Configuration management](#configuration-management)
+# Configuration management <!-- omit in toc -->
+
 - [TL;DR](#tldr)
 - [1. Overview of the detection methodology](#1-overview-of-the-detection-methodology)
 - [2. Configuration Management](#2-configuration-management)
@@ -23,6 +22,7 @@
     - [The weights object](#the-weights-object)
     - [The expression object](#the-expression-object)
     - [The workflow object](#the-workflow-object)
+    - [Event Flow typology configuration](#event-flow-typology-configuration)
     - [Complete example of a typology configuration](#complete-example-of-a-typology-configuration)
   - [2.3. The Network Map](#23-the-network-map)
     - [Introduction](#introduction-2)
@@ -53,7 +53,9 @@ In a test or PoC environment, it may sometimes be simpler to just overwrite exis
 
 Configuration documents can be uploaded to the system using the ArangoDB API deployed with the platform.
 
-[Top](#configuration-management)
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
 
 # 1. Overview of the detection methodology
 
@@ -98,7 +100,9 @@ In the typology processor:
 
 In this document, we will discuss how the various configuration documents are expected to be updated to influence evaluation behavior.
 
-[Top](#configuration-management)
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
 
 # 2. Configuration Management
 
@@ -118,7 +122,9 @@ Finally, the typologies and rules are bound together into the network map and at
 
 ![Tazama typology config](../images/tazama-config-typology-config.drawio.svg)
 
-[Top](#configuration-management)
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
 
 ## 2.1. Rule Processor Configuration
 
@@ -225,6 +231,10 @@ Example of the `exitConditions` object:
     ]
   }
 ```
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
+
 
 Each exit condition contains the same attributes:
 
@@ -358,7 +368,9 @@ Each rule result case contains the same information:
 
 [Complete example of a rule processor configuration](/product/complete-example-of-a-rule-processor-configuration.md)
 
-[Top](#configuration-management)
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
 
 ## 2.2. Typology Configuration
 
@@ -590,18 +602,66 @@ If a specific type of threshold is not required, the threshold should be omitted
 
 The thresholds are located in a workflow object in the typology configuration. If, for example, the system is expected to alert on a typology score of 500 or more, and interdict on a typology score of 1000 or more, the workflow object would be composed as follows:
 
-```
+```JSON
 "workflow": {
   "alertThreshold": 500,
   "interdictionThreshold": 1000
 }
 ```
 
+### Event Flow typology configuration 
+
+If the event flow processor is applicable to a typology, the EFRuP rule must be added to the list of rules in the typology configuration and EFRuP `"flowProcessor": "EFRuP@1.0.0"` should be added to the workflow object. `flowProcessor` may be omitted from the workflow object and the rules list in which case a particular typology is not affected by EFRuP results.
+
+**EFRuP workflow object**
+
+```JSON
+        "workflow": {
+            "alertThreshold": 200,
+            "interdictionThreshold": 400,
+            "flowProcessor": "EFRuP@1.0.0"
+        }
+```
+
+**EFRuP rule object**
+
+```JSON
+            {
+                "id": "EFRuP@1.0.0",
+                "cfg": "none",
+                "termId": "vEFRuPat100atnone",
+                "wghts": [
+                    {
+                        "ref": ".err",
+                        "wght": "0"
+                    },
+                    {
+                        "ref": "override",
+                        "wght": "0"
+                    },
+                    {
+                        "ref": "non-overridable-block",
+                        "wght": "0"
+                    },
+                    {
+                        "ref": "overridable-block",
+                        "wght": "0"
+                    },
+                    {
+                        "ref": "none",
+                        "wght": "0"
+                    }
+                ]
+            }
+```
+
 ### Complete example of a typology configuration
 
 [Complete example of a typology processor configuration](/product/complete-example-of-a-typology-processor-configuration.md)
 
-[Top](#configuration-management)
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
 
 ## 2.3. The Network Map
 
@@ -702,22 +762,35 @@ The rules object array contains the following attributes:
     
 
 ```
-              "rules": [
-                {
-                  "id": "002@1.0.0",
-                  "cfg": "1.0.0"
-                },
+"rules": [
+  {
+     "id": "002@1.0.0",
+     "cfg": "1.0.0"
+  }
+```
+
+Example of the rules object for the event flow processor
+
+```JSON
+{
+  "id": "EFRuP@1.0.0",
+  "cfg": "none"
+}
 ```
 
+By adding the EFRuP processor to the network map, the event director will route transactions to the event flow rule processor in addition to the other rules specified in the typologies array. 
+
 ### Complete network map example
 
 [Complete example of a network map](/product/complete-example-of-a-network-map.md)
 
-[Top](#configuration-management)
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
 
 ## 2.4. Updating configurations via the ArangoDB API
 
-# 3\. Version Management
+# 3. Version Management
 
 ## 3.1. Introduction and Basics
 
@@ -794,7 +867,9 @@ The active network map ultimately defines the scope of a particular evaluation,
 
 * * *
 
-[Top](#configuration-management)
+<div style="text-align: right">
+    <a href="#configuration-management">Top</a>
+</div>
 
 [^1]: We have found during our performance testing that the text-based descriptions in our processor results undermines the performance gains we achieved with our ProtoBuff implementation. We will be removing the unabridged reason and processor descriptions from the configuration documents in favor of shorter look-up codes that will then also be used to introduce regionalized/language-specific descriptions.
    
diff --git a/Product/event-flow-rule-processor.md b/Product/event-flow-rule-processor.md
diff --git a/Product/typology-processing.md b/Product/typology-processing.md

Original file line number	Diff line number	Diff line change
`@@ -2,9 +2,9 @@`
`2`	`2`
`3`	`3`	`# Complete example of a rule processor configurations`
`4`	`4`
`5`		`-## A “banded” rule configuration:`
	`5`	`+## A "banded" rule configuration:`
`6`	`6`
`7`		-```
	`7`	+```JSON
`8`	`8`	`{`
`9`	`9`	`"id": "[email protected]",`
`10`	`10`	`"cfg": "1.0.0",`
`@@ -46,9 +46,9 @@`
`46`	`46`	`}`
`47`	`47`	```
`48`	`48`
`49`		`-## A “cased" rule configuration`
	`49`	`+## A "cased" rule configuration`
`50`	`50`
`51`		-```
	`51`	+```JSON
`52`	`52`	`{`
`53`	`53`	`"id": "[email protected]",`
`54`	`54`	`"cfg": "1.0.0",`
`@@ -83,7 +83,7 @@`
`83`	`83`
`84`	`84`	`## EFRuP rule configuration`
`85`	`85`
`86`		-```
	`86`	+```JSON
`87`	`87`	`{`
`88`	`88`	`"id": "[email protected]",`
`89`	`89`	`"cfg": "none",`
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ Building on the example rule configurations provided here:`
`6`	`6`
`7`	`7`	`[Complete example of a rule processor configuration](/product/complete-example-of-a-rule-processor-configuration.md)`
`8`	`8`
`9`		`-## Typology configuration for a typology with two rules`
	`9`	`+## Typology configuration for a typology with two rules plus the event flow rule processor`
`10`	`10`
`11`	`11`	```JSON
`12`	`12`	`{`