__
Ahmed Shah (PMP, M. Eng.)
Cybersecurity Analyst & Developer
GCR - Cybersecurity Operations Center
Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php>
From: Otto Fowler
Sent: December 13, 2017 5:24 PM
We could also filter out of enrichment to a different topology based on
field like Simon has said so that the rules are run on a filtered set etc.
also s/Ever/Either/
On December 13, 2017 at 17:03:15, Otto Fowler (ottobackwa...@gmail.com)
wrote:
While summary of _any_ metron data ( perhaps by q
While summary of _any_ metron data ( perhaps by query etc ) would be good,
let us not lose sight of the OP’s issue. Ever with summary|digest or one
at a time, they are looking for sending mails to certain people based on
rule.
A pseudo path may be
INDEXING -> New Topology or ?? -> evaluate rules
That makes a lot of sense, especially if you wanted the detail in the email as
well. We could definitely use some good "reporting of alerts” functionality
that would make something like that work. What do people think?
Simon
> On 13 Dec 2017, at 21:52, James Sirota wrote:
>
> I think there ma
I think there may be gaps in doing it with the profiler. You can record stats
and counts of different alert types, and maybe even alert ids, but you can't
cross-correlate these IDs to the alert body. At least not in the profiler. I
was thinking about emailing something that looks like a zeppe
We can already do that with profiles I would have thought. Create a profile
that only picks alerts and then base your emails only from the alert events
produced by that profile. Would that create the right batching mechanism (at a
cost of possible higher latency than you might get with a more sp
I agree with Simon. If you email each alert individually you will be
overwhelmed. I think a better idea would be to email alert summaries
periodically, which is more manageable. This is probably a feature worthy of
consideration for Metron.
13.12.2017, 12:19, "Simon Elliston Ball" :
> Metro
Metron generates alerts onto a Kafka queue, which can be used to integrate with
Alert management tools, usually some sort of existing alert aggregation tool.
An alternative approach common with this is to have a tool like Apache NiFi
attach to the Metron alert feed and send email.
The solution
Hello,
Just wondering if Metron has a feature to email alerts based on rules that a
user defines.
Example:
Rule A: Email the user 1...@1.com whenever ip_src_addr=100.2.10.*
Rule B: Email the user 1...@1.com whenever payload contains "critical"
If not, does anyone have any recommendations on wher