Re: Metron 0.3.1 Threat Triage is not working

t;: "syslog_severity== 'error'", >> "score": 75, >> "reason": null >> }, >> { >> "name": "Medium severity rule", >>

Re: Metron capability to enrich a list granularity

ght, but this > is what I remember. It is probably worth the effort to validate this in > your environment and see if any problems arise. It should be fairly simple > to validate. > > > > > > On Sun, Apr 2, 2017 at 10:50 PM, Ali Nazemian <alinazem...@gmail.com> >

Metron has been broken due to issue with Kafka

Hi all, I have had some issue to clear the "enrichments" and "indexing" Kafka topics, so I have tried delete and remove these topics. I have some troubles to clear those topics. I tried to remove those topics and create them again. Unfortunately, Kafka did not remove the topic gracefully so I

Re: Journey out of the Incubator (update)

Great news! Congratulation. Metron is a great product with a bright future. On Tue, Apr 4, 2017 at 10:27 PM, zeo...@gmail.com wrote: > Very exciting, thanks Casey. > > Jon > > On Tue, Apr 4, 2017, 8:18 AM Kyle Richardson > wrote: > >> That's

Metron capability to enrich a list granularity

Hi all, I was wondering how I can achieve the following use case in the current version of Metron? I want to have attributes in the Metron JSON object that are an array. For example, if a threat is impacting multiple users, they are all contained in an attribute (e.g. user_id:[id1, id2,

Customize attribute name for enrichment as well as threat intel

Hi all, How can I change the default attribute naming inside Metron? I want to normalize the Metron JSON object across several sources. However, some of the sources do not provide specific attributes in the primary feed. For example, I want to know the computer name across all sources. Two

Re: Metron has been broken due to issue with Kafka

r will help in this. Someone who is more of a kafka >> expert than me should speak, but my understanding is that should make >> deleting topics less of a pain going forward. >> >> On Wed, Apr 5, 2017 at 5:27 AM, Ali Nazemian <alinazem...@gmail.com> >> wrote: >&

Re: Building a customized version of ASA parser with Grok

ok expression, due to the >> fact that the format of the second ‘half’ of the message is dependent on >> the device tag. >> >> The best bet is almost certainly to modify the patterns for the existing >> asa parser in this instance, which will be a lot easier. >> &

Building a customized version of ASA parser with Grok

Hi all, I am building a customized version of ASA parser using Grok statements. I have prepared the Grok requirements so far. I am using the following manual which has been provided for Grok squid parser . I

Re: Building a customized version of ASA parser with Grok

. If you find it's missing patterns or requires modifications, > I'd be happy to work with you to improve on it. > > You should be able to test it out by creating a new Kafka topic 'asa' and > pointing your raw logs there. Let me know if you run into any issues. > > Thanks, > Kyle

Re: Building a customized version of ASA parser with Grok

ying base patterns. > > Simon > > On 8 Mar 2017, at 00:13, Ali Nazemian <alinazem...@gmail.com> wrote: > > Hi Kyle, > > Thank you very much. I should have asked the question earlier. We have > done the most of the Grok statement implementations so far! I haven't > c

Re: Building a customized version of ASA parser with Grok

; Hence you will need to backup the patterns on hdfs to preserve them > between upgrades as stands. > > Simon > > Sent from my iPhone > > On 8 Mar 2017, at 00:26, Ali Nazemian <alinazem...@gmail.com> wrote: > > Hi Simon, > > How can I manage that through

Metron 0.3.1 Threat Triage is not working

Hi all, I have got the following Threat Triage rule related to our Metron use case. After I have configured the threat triage inside Metron Management UI. However, I cannot see any result inside Elasticsearch after this configuration. Do I need to do any other configuration related to Threat