Hi Oliver I still saw Meta alerts even when I was filtering for alerts = true but I am using an earlier version.
You may want to try filtering by score instead. A meta-alert should have a non-zero score if it includes alerts. Carolyn Duby Solutions Engineer, Northeast cd...@hortonworks.com +1.508.965.0584 Join my team! Enterprise Account Manager – Boston - http://grnh.se/wepchv1 Solutions Engineer – Boston - http://grnh.se/8gbxy41 Need Answers? Try https://community.hortonworks.com <https://community.hortonworks.com/answers/index.html> On 7/2/18, 5:13 AM, "Oliver Fletcher" <oliver.fletc...@gresearch.co.uk> wrote: >Hi Guys, > > >I have a quick question regarding the usability of meta-alerts within the >investigator UI. We have a high(ish) volume log source (firewall logs, with >accept packets being logged). Threat intelligence feeds will match connections >to rouge IP addresses and the investigator UI is showing hits with a threat >score as advertised. > > >The issue I'm experiencing is that I have to place a filter 'is_alert:true' >within the search bar, otherwise I'll pull in millions of non-interesting >events. This view gives me a powerful threat score alert feed, however, when I >merge together a group of alerts into a meta-alert, it will not appear in this >filtered search any more (because I've specified 'is_alert:true'). If I remove >this filter I'll have to trundle through a few billion events to find the >meta-alert! It's effectively disappeared into the ether. > > >Have I implemented this abnormally? It seems that the investigator UI could do >with an implicit is_alert:true filter? Then allowing meta-grouped alerts to >float into this implicit search base? > > >Cheers, > >Oliver Fletcher > >? > >-------------- >G-RESEARCH believes the information provided herein is reliable. While every >care has been taken to ensure accuracy, the information is furnished to the >recipients with no warranty as to the completeness and accuracy of its >contents and on condition that any errors or omissions shall not be made the >basis of any claim, demand or cause of action. >The information in this email is intended only for the named recipient. If >you are not the intended recipient please notify us immediately and do not >copy, distribute or take action based on this e-mail. >All messages sent to and from this e-mail address will be logged by G-RESEARCH >and are subject to archival storage, monitoring, review and disclosure. >G-RESEARCH is the trading name of Trenchant Limited, 5th Floor, Whittington >House, 19-30 Alfred Place, London WC1E 7EA. >Trenchant Limited is a company registered in England with company number >08127121. >--------------
