Metron generates alerts onto a Kafka queue, which can be used to integrate with 
Alert management tools, usually some sort of existing alert aggregation tool.

An alternative approach common with this is to have a tool like Apache NiFi 
attach to the Metron alert feed and send email. 

The solution here would be to have Metron generate alerts (by adding the 
is_alert: true flag in the enrichment process) and possibly other flags like 
alert_email for example, and then have NiFi use ConsumeKafka and then filter 
out the alert only messages in NiFi to use the PutEmail processor (probably 
with a ControlRate before it too).

Something I would caution is that email is not a great way to manage or send 
alerts at the volume likely to occur in network monitoring tools. A spike in 
network traffic can lead to a very large number of emails, which tends to then 
cause you bigger problems. As such we usually find people want some sort of 
buffering or aggregation of alerts, hence the use of a an alert management or 
ticketing solution in front.


> On 13 Dec 2017, at 19:06, Ahmed Shah <> wrote:
> Hello,
> Just wondering if Metron has a feature to email alerts based on rules that a 
> user defines.
> Example:
> Rule A: Email the user whenever ip_src_addr=100.2.10.*
> Rule B: Email the user whenever payload contains "critical"
> If not, does anyone have any recommendations on where to code these rules in 
> the Metron stack that uses attributes from the GROK parser?
> -Ahmed
> _______________________________________________________________
> Ahmed Shah (PMP, M. Eng.)
> Cybersecurity Analyst & Developer
> GCR - Cybersecurity Operations Center
> Carleton University -<>

Reply via email to