Metron generates alerts onto a Kafka queue, which can be used to integrate with Alert management tools, usually some sort of existing alert aggregation tool.
An alternative approach common with this is to have a tool like Apache NiFi attach to the Metron alert feed and send email. The solution here would be to have Metron generate alerts (by adding the is_alert: true flag in the enrichment process) and possibly other flags like alert_email for example, and then have NiFi use ConsumeKafka and then filter out the alert only messages in NiFi to use the PutEmail processor (probably with a ControlRate before it too). Something I would caution is that email is not a great way to manage or send alerts at the volume likely to occur in network monitoring tools. A spike in network traffic can lead to a very large number of emails, which tends to then cause you bigger problems. As such we usually find people want some sort of buffering or aggregation of alerts, hence the use of a an alert management or ticketing solution in front. Simon > On 13 Dec 2017, at 19:06, Ahmed Shah <ahmeds...@cmail.carleton.ca> wrote: > > Hello, > Just wondering if Metron has a feature to email alerts based on rules that a > user defines. > > Example: > Rule A: Email the user 1...@1.com whenever ip_src_addr=100.2.10.* > Rule B: Email the user 1...@1.com whenever payload contains "critical" > > If not, does anyone have any recommendations on where to code these rules in > the Metron stack that uses attributes from the GROK parser? > > > -Ahmed > _______________________________________________________________ > Ahmed Shah (PMP, M. Eng.) > Cybersecurity Analyst & Developer > GCR - Cybersecurity Operations Center > Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php>