Human review + sampling pipeline
Route flagged detections through a manual review queue with configurable sampling rates and escalation rules.
Overview
Not every detection warrants automated action. This pipeline captures suspicious events, applies sampling thresholds, and enqueues them for analyst review before any response fires.
Pipeline stages
1. Ingest
Events stream in from the Meridian agent via the telemetry endpoint. Each event carries a severity score, fingerprint hash, and raw context blob.
2. Sample
Apply per-rule sampling rates. Low-severity events may sample at 10%, critical events at 100%. Unsampled events are logged and dropped.
3. Enrich
Attach process tree, network context, and known-bad indicators before the ticket lands in the queue.
4. Review
Analyst sees a structured ticket with verdict buttons: Escalate, Suppress, or Auto-remediate. Verdicts feed back into detection tuning.
Escalation rules
- Same fingerprint seen 3+ times in 24h → auto-escalate
- Severity ≥ 8 → bypass sampling, immediate queue
- Ticket age > 4h without verdict → notify on-call
API endpoints
| Method | Path | Purpose |
|---|---|---|
| POST | /api/review/ingest | Submit event for sampling |
| GET | /api/review/queue | List pending tickets |
| PATCH | /api/review/verdict | Submit analyst verdict |