Re: who is having problems installing?

2017-10-03 Thread Ronirose Caryll De Castro 
Yes, like me I am planning to install Metron and would like to join the
meeting to know what would be the possible issues that I will face and how
to solve them


*Thank you!*
*Caryll*


On Wed, Oct 4, 2017 at 9:02 AM, Otto Fowler  wrote:

> Did you mean to send this to users too?
>
>
>
> On October 3, 2017 at 19:12:10, James Sirota (jsir...@apache.org) wrote:
>
> Hi Guys,
>
> How many people do we have with questions about installing Metron? I can
> take some time later in the week to schedule a meeting and get everyone
> unstuck
>
> ---
> Thank you,
>
> James Sirota
> PMC- Apache Metron
> jsirota AT apache DOT org
>

-- 
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited. If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. There is no warranty that this email is error, virus or defect 
free. If this is a private communication it does not represent the views of 
Pointwest Technologies Corporation or their related entities.

Re: [DISCUSS] Community meeting on Tuesday, Sept.23 10AM PST

2017-10-03 Thread Otto Fowler 
I am having to request access, not sure if this is what you meant to do.


On October 3, 2017 at 18:56:29, James Sirota (jsir...@apache.org) wrote:

Link to the recording. You need a WebEx player to view it

https://drive.google.com/open?id=0B3a8U3GCzkKNZHR2LUZNcmljcTQ



26.09.2017, 09:20, "Laurens Vets" :
> 11:30 won't work for me, but that's fine. I only had 1 comment on Otto's
> video: What happens when we have 2 parsers/sensors with the same name.
> If there's ever a parser/sensor repository, this might be an issue.
>
> On 2017-09-25 17:38, Otto Fowler wrote:
>>  11:30 your time. Sorry I have to pick my kids up from school. 2:30
>>  mine.
>>
>>  On September 25, 2017 at 19:41:28, James Sirota (jsir...@apache.org)
>>  wrote:
>>
>>  Oh sorry, didn't notice that. Otto, when is a good time for you?
>>
>>  25.09.2017, 16:35, "zeo...@gmail.com" :
>>>  When is the meeting, given Otto mentioned he can't make 10am? Or did
>>>  that
>>>  change
>>>
>>>  Jon
>>>
>>>  On Mon, Sep 25, 2017, 19:19 James Sirota  wrote:
>>>
   Great. Thank you, Otto. I would encourage everyone to watch it so
  that
>>  we
   have constructive feedback for tomorrow and are able to arrive to a
>>  decision
   Thanks,
   James

   25.09.2017, 08:27, "Otto Fowler" :
   > https://youtu.be/-ISycoP3TVA
   >
   > The video is short and simple. Hopefully it is what you are
  looking
>>  for.
   >
   > On September 21, 2017 at 16:54:13, zeo...@gmail.com
  (zeo...@gmail.com)
>>
   > wrote:
   >
   > I won't be able to make it and would really like to make sure
  there's
>>  a
   > recording for this one, if possible. I'm unavailable until
  Thursday
>>  of
   > next week, but not necessarily suggesting this gets moved.
   >
   > Jon
   >
   > On Thu, Sep 21, 2017, 15:04 Otto Fowler 
>>  wrote:
   >
   >> I can’t make that time, can we make it later in the day?
   >>
   >> On September 21, 2017 at 11:40:37, James Sirota
  (jsir...@apache.org)
   >> wrote:
   >>
   >> https://hortonworks.webex.com/meet/jsirota
   > --
   >
   > Jon

   ---
   Thank you,

   James Sirota
   PPMC- Apache Metron (Incubating)
   jsirota AT apache DOT org
>>>  --
>>>
>>>  Jon
>>
>>  ---
>>  Thank you,
>>
>>  James Sirota
>>  PPMC- Apache Metron (Incubating)
>>  jsirota AT apache DOT org

---
Thank you,

James Sirota
PPMC- Apache Metron (Incubating)
jsirota AT apache DOT org

Re: who is having problems installing?

2017-10-03 Thread Ronirose Caryll De Castro 
Can those who are planning to install Metron join the meeting?

*Thank you!*
*Caryll*


On Wed, Oct 4, 2017 at 7:11 AM, James Sirota  wrote:

> Hi Guys,
>
> How many people do we have with questions about installing Metron?  I can
> take some time later in the week to schedule a meeting and get everyone
> unstuck
>
> ---
> Thank you,
>
> James Sirota
> PMC- Apache Metron
> jsirota AT apache DOT org
>

-- 
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited. If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. There is no warranty that this email is error, virus or defect 
free. If this is a private communication it does not represent the views of 
Pointwest Technologies Corporation or their related entities.

who is having problems installing?

2017-10-03 Thread James Sirota 
Hi Guys,

How many people do we have with questions about installing Metron?  I can take 
some time later in the week to schedule a meeting and get everyone unstuck

--- 
Thank you,

James Sirota
PMC- Apache Metron
jsirota AT apache DOT org

Re: [DISCUSS] Community meeting on Tuesday, Sept.23 10AM PST

2017-10-03 Thread James Sirota 
Link to the recording.  You need a WebEx player to view it

https://drive.google.com/open?id=0B3a8U3GCzkKNZHR2LUZNcmljcTQ



26.09.2017, 09:20, "Laurens Vets" :
> 11:30 won't work for me, but that's fine. I only had 1 comment on Otto's
> video: What happens when we have 2 parsers/sensors with the same name.
> If there's ever a parser/sensor repository, this might be an issue.
>
> On 2017-09-25 17:38, Otto Fowler wrote:
>>  11:30 your time. Sorry I have to pick my kids up from school. 2:30
>>  mine.
>>
>>  On September 25, 2017 at 19:41:28, James Sirota (jsir...@apache.org)
>>  wrote:
>>
>>  Oh sorry, didn't notice that. Otto, when is a good time for you?
>>
>>  25.09.2017, 16:35, "zeo...@gmail.com" :
>>>  When is the meeting, given Otto mentioned he can't make 10am? Or did
>>>  that
>>>  change
>>>
>>>  Jon
>>>
>>>  On Mon, Sep 25, 2017, 19:19 James Sirota  wrote:
>>>
   Great. Thank you, Otto. I would encourage everyone to watch it so
  that
>>  we
   have constructive feedback for tomorrow and are able to arrive to a
>>  decision
   Thanks,
   James

   25.09.2017, 08:27, "Otto Fowler" :
   > https://youtu.be/-ISycoP3TVA
   >
   > The video is short and simple. Hopefully it is what you are
  looking
>>  for.
   >
   > On September 21, 2017 at 16:54:13, zeo...@gmail.com
  (zeo...@gmail.com)
>>
   > wrote:
   >
   > I won't be able to make it and would really like to make sure
  there's
>>  a
   > recording for this one, if possible. I'm unavailable until
  Thursday
>>  of
   > next week, but not necessarily suggesting this gets moved.
   >
   > Jon
   >
   > On Thu, Sep 21, 2017, 15:04 Otto Fowler 
>>  wrote:
   >
   >> I can’t make that time, can we make it later in the day?
   >>
   >> On September 21, 2017 at 11:40:37, James Sirota
  (jsir...@apache.org)
   >> wrote:
   >>
   >> https://hortonworks.webex.com/meet/jsirota
   > --
   >
   > Jon

   ---
   Thank you,

   James Sirota
   PPMC- Apache Metron (Incubating)
   jsirota AT apache DOT org
>>>  --
>>>
>>>  Jon
>>
>>  ---
>>  Thank you,
>>
>>  James Sirota
>>  PPMC- Apache Metron (Incubating)
>>  jsirota AT apache DOT org

--- 
Thank you,

James Sirota
PPMC- Apache Metron (Incubating)
jsirota AT apache DOT org

[GitHub] metron issue #779: METRON-1218: Metron REST should return better error messa...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on the issue:

https://github.com/apache/metron/pull/779
  
+1



---

[GitHub] metron pull request #779: METRON-1218: Metron REST should return better erro...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on a diff in the pull request:

https://github.com/apache/metron/pull/779#discussion_r142513786
  
--- Diff: 
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/RestExceptionHandler.java
 ---
@@ -35,7 +36,7 @@
   @ResponseBody
   ResponseEntity handleControllerException(HttpServletRequest request, 
Throwable ex) {
 HttpStatus status = getStatus(request);
-return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), getFullMessage(ex)), status);
+return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), ExceptionUtils.getStackTrace(ex)), status);
--- End diff --

It is not in logs that is the problem, it is if it is in the UI.  I think 
that it would apply to rest too... but I am not sure on that


---

[GitHub] metron issue #782: METRON-1222 fix warning for The expression ${parent.versi...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on the issue:

https://github.com/apache/metron/pull/782
  
+1


---

[GitHub] metron issue #782: METRON-1222 fix warning for The expression ${parent.versi...

2017-10-03 Thread dbist 
Github user dbist commented on the issue:

https://github.com/apache/metron/pull/782
  
@mmiklavc @ottobackwards updated the title, thank you.


---

[GitHub] metron pull request #779: METRON-1218: Metron REST should return better erro...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on a diff in the pull request:

https://github.com/apache/metron/pull/779#discussion_r142478606
  
--- Diff: 
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/RestExceptionHandler.java
 ---
@@ -35,7 +36,7 @@
   @ResponseBody
   ResponseEntity handleControllerException(HttpServletRequest request, 
Throwable ex) {
 HttpStatus status = getStatus(request);
-return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), getFullMessage(ex)), status);
+return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), ExceptionUtils.getStackTrace(ex)), status);
--- End diff --


https://www.owasp.org/index.php/Error_Handling#Vulnerable_Patterns_for_Error_Handling


---

[GitHub] metron pull request #779: METRON-1218: Metron REST should return better erro...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on a diff in the pull request:

https://github.com/apache/metron/pull/779#discussion_r142477613
  
--- Diff: 
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/RestExceptionHandler.java
 ---
@@ -35,7 +36,7 @@
   @ResponseBody
   ResponseEntity handleControllerException(HttpServletRequest request, 
Throwable ex) {
 HttpStatus status = getStatus(request);
-return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), getFullMessage(ex)), status);
+return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), ExceptionUtils.getStackTrace(ex)), status);
--- End diff --


https://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files



---

[GitHub] metron pull request #779: METRON-1218: Metron REST should return better erro...

2017-10-03 Thread cestella 
Github user cestella commented on a diff in the pull request:

https://github.com/apache/metron/pull/779#discussion_r142471360
  
--- Diff: 
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/RestExceptionHandler.java
 ---
@@ -35,7 +36,7 @@
   @ResponseBody
   ResponseEntity handleControllerException(HttpServletRequest request, 
Throwable ex) {
 HttpStatus status = getStatus(request);
-return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), getFullMessage(ex)), status);
+return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), ExceptionUtils.getStackTrace(ex)), status);
--- End diff --

I think I can live with just the root cause, but I'd like to know how 
exposing the stack trace is a security issue first.  Can you clarify the 
reasoning behind it, @ottobackwards ?  It's not that I disbelieve you, but I'd 
like to better understand because we currently have stack traces in logs all 
over the place.


---

[GitHub] metron issue #768: Metron 1123: Add group by option using faceted search cap...

2017-10-03 Thread merrimanr 
Github user merrimanr commented on the issue:

https://github.com/apache/metron/pull/768
  
I spun this up in full dev and it's working pretty well.  The only 
functional issue I could find was that the bulk actions are disabled when 
alerts are selected in group/tree view.  This is likely due to the fact that 
tree view inherits from list view and selectedAlerts are part of list view.

Other than that I think this is pretty close.  We should add an e2e test 
for bulk actions in tree view (would have caught the issue above).  Also is 
there a test for group reordering (drag and drop)?


---

[GitHub] metron pull request #768: Metron 1123: Add group by option using faceted sea...

2017-10-03 Thread merrimanr 
Github user merrimanr commented on a diff in the pull request:

https://github.com/apache/metron/pull/768#discussion_r142454390
  
--- Diff: 
metron-platform/metron-indexing/src/main/java/org/apache/metron/indexing/dao/metaalert/MetaAlertCreateResponse.java
 ---
@@ -28,4 +28,4 @@ public boolean isCreated() {
   public void setCreated(boolean created) {
 this.created = created;
   }
-}
+}
--- End diff --

Was this intentional?


---

[GitHub] metron pull request #768: Metron 1123: Add group by option using faceted sea...

2017-10-03 Thread merrimanr 
Github user merrimanr commented on a diff in the pull request:

https://github.com/apache/metron/pull/768#discussion_r142454353
  
--- Diff: 
metron-platform/metron-elasticsearch/src/main/java/org/apache/metron/elasticsearch/dao/MetaAlertStatus.java
 ---
@@ -31,4 +31,4 @@
   public String getStatusString() {
 return statusString;
   }
-}
+}
--- End diff --

Was this intentional?


---

Re: Error message when changing riskLevelRules

2017-10-03 Thread Nick Allen 
Sure, I understand.  I just did that so others have an example to work with
for future reference.

On Tue, Oct 3, 2017 at 11:49 AM, Laurens Vets  wrote:

> Thanks Nick! I'm still on 0.4.1-release, so I haven't had a chance to play
> with your additional THREAT_TRIAGE_* things.
>
>
> On 2017-10-03 08:40, Nick Allen wrote:
>
>> Laurens -
>>
>> The problem is that we expect a Stellar expression for the "reason" field.
>> What you are providing is a string that is not a valid Stellar expression.
>> For it to be a valid expression you need to add another set of quotes to
>> make it a Stellar string;  " 'No MFA used.' ".
>>
>> I definitely see how this can be confusing.  Here is a REPL session of me
>> working through the problem.  I can see that there is clearly a problem
>> using the REPL.
>>
>> (1) Create the rule set that you mentioned in your email.
>>
>> [Stellar]>>> input := SHELL_EDIT(input)
>>
>> [Stellar]>>> input
>>
>> [
>>
>> {
>>
>> "name": "Not WORK",
>>
>> "comment": "Checks whether the field is_work is true or
>> false.",
>>
>> "rule": "is_work == false",
>>
>> "score": 20,
>>
>> "reason": "FORMAT('%s is not a WORK network!',
>> sourceIPAddress)"
>>
>> },
>>
>> {
>>
>> "name": "MFA",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>>
>> "score": 20,
>>
>> "reason": "No MFA used."
>>
>> },
>>
>> {
>>
>> "name": "MFA2",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule": "additionalEventData:MFAUsed == \"No\"",
>>
>> "score": 20,
>>
>> "reason": "No MFA used."
>>
>> }
>>
>> ]
>>
>> [Stellar]>>> rules := TO_JSON_LIST(input)
>>
>>
>> ​(2) Initialize the threat triage engine and add the rules.
>>
>>
>> [Stellar]>>> t := THREAT_TRIAGE_INIT()
>>
>> [Stellar]>>> THREAT_TRIAGE_ADD(t, rules)
>>
>> [!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
>> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
>> viable
>> alternative at input 'NoMFA'
>>
>> org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA
>> used.:
>> Unable to parse: No MFA used. due to:
>> org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no
>> viable
>> alternative at input 'NoMFA'
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.valida
>> te(BaseStellarProcessor.java:240)
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.valida
>> te(BaseStellarProcessor.java:199)
>>
>> at
>> org.apache.metron.common.configuration.enrichment.threatinte
>> l.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)
>>
>> at
>> org.apache.metron.management.ThreatTriageFunctions$AddStella
>> rTransformation.apply(ThreatTriageFunctions.java:346)
>>
>> at
>> org.apache.metron.stellar.common.StellarCompiler.lambda$exit
>> TransformationFunc$13(StellarCompiler.java:570)
>>
>> at
>> org.apache.metron.stellar.common.StellarCompiler$Expression.
>> apply(StellarCompiler.java:169)
>>
>> at
>> org.apache.metron.stellar.common.BaseStellarProcessor.parse(
>> BaseStellarProcessor.java:152)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarExecutor.execu
>> te(StellarExecutor.java:292)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarShell.handleSt
>> ellar(StellarShell.java:277)
>>
>> at
>> org.apache.metron.stellar.common.shell.StellarShell.execute(
>> StellarShell.java:509)
>>
>> at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>>
>> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>>
>> at java.lang.Thread.run(Thread.java:745)
>>
>> Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to parse:
>> No MFA used. due to: org.apache.metron.stellar.dsl.ParseException: Syntax
>> error @ 1:3 no viable ...
>>
>>
>> (3) Clearly there is a problem.  I then edited the input to add the quotes
>> as I suggested.
>>
>>
>> [Stellar]>>> input := SHELL_EDIT(input)
>>
>> [Stellar]>>> input
>>
>> [
>>
>> {
>>
>> "name": "Not WORK",
>>
>> "comment": "Checks whether the field is_work is true or
>> false.",
>>
>> "rule": "is_work == false",
>>
>> "score": 20,
>>
>> "reason": "FORMAT('%s is not a WORK network!',
>> sourceIPAddress)"
>>
>> },
>>
>> {
>>
>> "name": "MFA",
>>
>> "comment": "Checks whether MFA used or not.",
>>
>> "rule":
>> "userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",
>>
>> "score": 20,
>>
>>

[GitHub] metron issue #737: METRON-1161: Add ability to edit parser command line opti...

2017-10-03 Thread merrimanr 
Github user merrimanr commented on the issue:

https://github.com/apache/metron/pull/737
  
Ok I reverted the SensorParserConfig class so that defaults are not 
provided for numWorkers and numAckers.  I also added help text to make it clear 
to the user what happens when these are not set.  Let me know how this looks.


---

Re: Error message when changing riskLevelRules

2017-10-03 Thread Nick Allen 
Laurens -

The problem is that we expect a Stellar expression for the "reason" field.
What you are providing is a string that is not a valid Stellar expression.
For it to be a valid expression you need to add another set of quotes to
make it a Stellar string;  " 'No MFA used.' ".

I definitely see how this can be confusing.  Here is a REPL session of me
working through the problem.  I can see that there is clearly a problem
using the REPL.

(1) Create the rule set that you mentioned in your email.

[Stellar]>>> input := SHELL_EDIT(input)

[Stellar]>>> input

[

{

"name": "Not WORK",

"comment": "Checks whether the field is_work is true or
false.",

"rule": "is_work == false",

"score": 20,

"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"

},

{

"name": "MFA",

"comment": "Checks whether MFA used or not.",

"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",

"score": 20,

"reason": "No MFA used."

},

{

"name": "MFA2",

"comment": "Checks whether MFA used or not.",

"rule": "additionalEventData:MFAUsed == \"No\"",

"score": 20,

"reason": "No MFA used."

}

]

[Stellar]>>> rules := TO_JSON_LIST(input)


​(2) Initialize the threat triage engine and add the rules.


[Stellar]>>> t := THREAT_TRIAGE_INIT()

[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)

[!] Unable to parse No MFA used.: Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no viable
alternative at input 'NoMFA'

org.apache.metron.stellar.dsl.ParseException: Unable to parse No MFA used.:
Unable to parse: No MFA used. due to:
org.apache.metron.stellar.dsl.ParseException: Syntax error @ 1:3 no viable
alternative at input 'NoMFA'

at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:240)

at
org.apache.metron.stellar.common.BaseStellarProcessor.validate(BaseStellarProcessor.java:199)

at
org.apache.metron.common.configuration.enrichment.threatintel.ThreatTriageConfig.setRiskLevelRules(ThreatTriageConfig.java:63)

at
org.apache.metron.management.ThreatTriageFunctions$AddStellarTransformation.apply(ThreatTriageFunctions.java:346)

at
org.apache.metron.stellar.common.StellarCompiler.lambda$exitTransformationFunc$13(StellarCompiler.java:570)

at
org.apache.metron.stellar.common.StellarCompiler$Expression.apply(StellarCompiler.java:169)

at
org.apache.metron.stellar.common.BaseStellarProcessor.parse(BaseStellarProcessor.java:152)

at
org.apache.metron.stellar.common.shell.StellarExecutor.execute(StellarExecutor.java:292)

at
org.apache.metron.stellar.common.shell.StellarShell.handleStellar(StellarShell.java:277)

at
org.apache.metron.stellar.common.shell.StellarShell.execute(StellarShell.java:509)

at org.jboss.aesh.console.AeshProcess.run(AeshProcess.java:53)

at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.apache.metron.stellar.dsl.ParseException: Unable to parse:
No MFA used. due to: org.apache.metron.stellar.dsl.ParseException: Syntax
error @ 1:3 no viable ...


(3) Clearly there is a problem.  I then edited the input to add the quotes
as I suggested.


[Stellar]>>> input := SHELL_EDIT(input)

[Stellar]>>> input

[

{

"name": "Not WORK",

"comment": "Checks whether the field is_work is true or
false.",

"rule": "is_work == false",

"score": 20,

"reason": "FORMAT('%s is not a WORK network!',
sourceIPAddress)"

},

{

"name": "MFA",

"comment": "Checks whether MFA used or not.",

"rule":
"userIdentity:sessionContext:attributes:mfaAuthenticated == \"False\"",

"score": 20,

"reason": "'No MFA used.'"

},

{

"name": "MFA2",

"comment": "Checks whether MFA used or not.",

"rule": "additionalEventData:MFAUsed == \"No\"",

"score": 20,

"reason": "'No MFA used.'"

}

]

[Stellar]>>> rules := TO_JSON_LIST(input)


​
​(4) ​
​Again, i
nitialize the threat triage engine and add the rules.


[Stellar]>>> t := THREAT_TRIAGE_INIT()

[Stellar]>>> THREAT_TRIAGE_ADD(t, rules)

{

  "enrichment" : {

"fieldMap" : { },

"fieldToTypeMap" : { },

"config" : { }

  },

  "threatIntel" : {

"fieldMap" : { },

"fieldToTypeMap" : { },

"config" : { },

"triageConfig" : {

  "riskLevelRules" : [ {

"name" : "Not WORK",

"comment" : "Checks whether the

FW: Change to Indexing section of Admin Guide

2017-10-03 Thread Rita McKissick 
Sorry, please disregard this email. Sent to wrong email alias.

Rita

Rita McKissick ! Sr. Technical Writer
rmckiss...@hortonworks.com
(mobile) 831-234-3676









On 10/3/17, 6:53 AM, "Rita McKissick"  wrote:

>Hi everyone,
>
>Jasper requested that I copy the section on tuning HDFS to the section on 
>Indexing. So, I’ve added this section to the Indexing section on the Admin 
>Guide:
>http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HCP1/HCP-1-trunk/bk_administration/content/configuring_indexing.html
>
>Let me know if you have any suggestions or feedback on this change.
>
>Thanks,
>
>Rita
>
>Rita McKissick ! Sr. Technical Writer
>rmckiss...@hortonworks.com
>(mobile) 831-234-3676
>
>

[GitHub] metron issue #768: Metron 1123: Add group by option using faceted search cap...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on the issue:

https://github.com/apache/metron/pull/768
  
What does the ungroup button **do** when you hit it and it is still in 
table view?


---

[GitHub] metron pull request #779: METRON-1218: Metron REST should return better erro...

2017-10-03 Thread merrimanr 
Github user merrimanr commented on a diff in the pull request:

https://github.com/apache/metron/pull/779#discussion_r142419159
  
--- Diff: 
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/RestExceptionHandler.java
 ---
@@ -35,7 +36,7 @@
   @ResponseBody
   ResponseEntity handleControllerException(HttpServletRequest request, 
Throwable ex) {
 HttpStatus status = getStatus(request);
-return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), getFullMessage(ex)), status);
+return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), ExceptionUtils.getStackTrace(ex)), status);
--- End diff --

My vote would be root cause in the REST response, full stack trace in the 
logs.  I would also vote to skip the separate profile for stack trace.  Turning 
that on and restarting REST would be more effort than just looking at the log.  
Doubt anyone would use it.

I think this is a minor issue.  I would be good with either.


---

[GitHub] metron issue #768: Metron 1123: Add group by option using faceted search cap...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on the issue:

https://github.com/apache/metron/pull/768
  
It looks like it is working now.  Maybe this error was an artifact or 
manifestation of the dependency issues that 'resolved' themselves.  I'll get 
going


---

[GitHub] metron issue #768: Metron 1123: Add group by option using faceted search cap...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on the issue:

https://github.com/apache/metron/pull/768
  
I am going to try again


---

[GitHub] metron issue #737: METRON-1161: Add ability to edit parser command line opti...

2017-10-03 Thread cestella 
Github user cestella commented on the issue:

https://github.com/apache/metron/pull/737
  
Wait, I'm confused, the current behavior is to default to the storm config. 
 Why did you pull that into the SensorParserConfig?

The issue with what you've done here is that when you save out the configs 
into zookeeper, you are serializing the object with the values set (including 
those defaults).  Now, if someone restarts the topology, those are the values 
set regardless of what is set in the storm config.

Can we please just solve this by some hover-over text indicating if the 
field is not set, then the storm defaults are used?  Maybe even indicating what 
the default currently is.  I'd have honestly made those values Optional if I 
could've (serialization issues caused that not to be the case).

I guess what I'm saying is that, no, I don't like this approach. :)


---

Change to Indexing section of Admin Guide

2017-10-03 Thread Rita McKissick 
Hi everyone,

Jasper requested that I copy the section on tuning HDFS to the section on 
Indexing. So, I’ve added this section to the Indexing section on the Admin 
Guide:
http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HCP1/HCP-1-trunk/bk_administration/content/configuring_indexing.html

Let me know if you have any suggestions or feedback on this change.

Thanks,

Rita

Rita McKissick ! Sr. Technical Writer
rmckiss...@hortonworks.com
(mobile) 831-234-3676

[GitHub] metron pull request #779: METRON-1218: Metron REST should return better erro...

2017-10-03 Thread cestella 
Github user cestella commented on a diff in the pull request:

https://github.com/apache/metron/pull/779#discussion_r142407343
  
--- Diff: 
metron-interface/metron-rest/src/main/java/org/apache/metron/rest/controller/RestExceptionHandler.java
 ---
@@ -35,7 +36,7 @@
   @ResponseBody
   ResponseEntity handleControllerException(HttpServletRequest request, 
Throwable ex) {
 HttpStatus status = getStatus(request);
-return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), getFullMessage(ex)), status);
+return new ResponseEntity<>(new RestError(status.value(), 
ex.getMessage(), ExceptionUtils.getStackTrace(ex)), status);
--- End diff --

Well, the stack trace is generally more helpful in debugging than just the 
root cause, so yeah, I kinda wanted the stack trace along with the root cause.  
I'm willing to be argued with, but as a dev, I'd like to know line numbers of 
failures along with why.


---

[GitHub] metron issue #768: Metron 1123: Add group by option using faceted search cap...

2017-10-03 Thread ottobackwards 
Github user ottobackwards commented on the issue:

https://github.com/apache/metron/pull/768
  
I run this standard 
[checkout-pr](https://github.com/ottobackwards/Metron-and-Nifi-Scripts/blob/master/metron/checkout-pr)
 script, to download in to ~/tmp.

cd into the directory created 's metron-deployment/vagrant/full-dev-platform
vagrant up



---

[GitHub] metron issue #768: Metron 1123: Add group by option using faceted search cap...

2017-10-03 Thread iraghumitra 
Github user iraghumitra commented on the issue:

https://github.com/apache/metron/pull/768
  
@ottobackwards If you dont mind can you give me exact steps to simulate the 
installation issue. I seem to miss something here.


---