Thanks for the answers Simon!
On 22-Jan-18 10:05, Simon Elliston Ball wrote:
Hi Laurens,
A few quick answers inline…
Simon
On 20 Jan 2018, at 00:37, Laurens Vets <[email protected]
<mailto:[email protected]>> wrote:
Hi list,
I have some general Alerts UI questions/comments/remarks, I hope you
don't mind :) I'm using the UI that's part of Metron 0.4.2. These
apply to my specific use case, so I might be completely wrong in how
I use the UI…
Comment and feedback are always welcome!
- When you're talking about 'alerts', from what I can see in the UI,
that's synonymous with just events in elasticsearch right? Wouldn't
it make more sense to treat alerts as events where "is_alert" == True?
At present the search does not exclude non-alerts… it’s maybe a little
odd to call it the alerts view right now, but right now it’s the only
way to see everything, so this should probably separate out into an
‘everything’ hunting focused view and a alerts only view.
The reasons I kinda like the current approach is that it’s good for
picking up things that have become alerts because they’re in threat
intel for example, along with things clustered against them by
something like the new TLSH functions, which makes it easier to
combine known alerts with un-detected events in a meta alert.
- It seems that everything I do in the UI is only stored locally? See
https://github.com/apache/metron/tree/master/metron-interface/metron-alerts.
Can this made persistent for multiple people?
Yep. A lot of the preferences, saved searched, column layouts etc, are
stored in local storage by the browser right now. We need a REST
endpoint and to figure out how to store them (against user / against a
group / global??? thoughts?) server side. A lot of the mechanism to do
that is in, it’s just not quite done done because of those open
questions I expect.
- How can I change the content "Filters" on the left of the UI?
You wait for https://github.com/apache/metron/pull/853 to land.
- How do I create a MetaAlert?
You can create a meta-alert from a grouped set of alerts, use the
grouping buttons at the top and you’ll find a merge alert. Slightly
odd process at the moment true, but a button to create a meta-alert
from all the selected, or all the visible alerts on the results page
might be a good addition, what do you think?
Very quick video of the current method here: https://youtu.be/JkFeNKTOd38
- What's the plan regarding notifying someone when alerts triggers?
Currently there is no external notification, but the answer here would
likely be to consume the indexing topic in kafka and integrate to an
enterprise alarm or monitoring system (alerting and alarms is a
massive topic which probably deserves its own project beyond metron
and I’ve seen people use all sorts of things for this, usually some
big enterprisey thing mandated by IT).
