You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@metron.apache.org by Oliver Fletcher <Ol...@gresearch.co.uk> on 2018/07/02 09:13:46 UTC
Investigator UI meta-alerts
Hi Guys,
I have a quick question regarding the usability of meta-alerts within the investigator UI. We have a high(ish) volume log source (firewall logs, with accept packets being logged). Threat intelligence feeds will match connections to rouge IP addresses and the investigator UI is showing hits with a threat score as advertised.
The issue I'm experiencing is that I have to place a filter 'is_alert:true' within the search bar, otherwise I'll pull in millions of non-interesting events. This view gives me a powerful threat score alert feed, however, when I merge together a group of alerts into a meta-alert, it will not appear in this filtered search any more (because I've specified 'is_alert:true'). If I remove this filter I'll have to trundle through a few billion events to find the meta-alert! It's effectively disappeared into the ether.
Have I implemented this abnormally? It seems that the investigator UI could do with an implicit is_alert:true filter? Then allowing meta-grouped alerts to float into this implicit search base?
Cheers,
Oliver Fletcher
?
--------------
G-RESEARCH believes the information provided herein is reliable. While every care has been taken to ensure accuracy, the information is furnished to the recipients with no warranty as to the completeness and accuracy of its contents and on condition that any errors or omissions shall not be made the basis of any claim, demand or cause of action.
The information in this email is intended only for the named recipient. If you are not the intended recipient please notify us immediately and do not copy, distribute or take action based on this e-mail.
All messages sent to and from this e-mail address will be logged by G-RESEARCH and are subject to archival storage, monitoring, review and disclosure.
G-RESEARCH is the trading name of Trenchant Limited, 5th Floor, Whittington House, 19-30 Alfred Place, London WC1E 7EA.
Trenchant Limited is a company registered in England with company number 08127121.
--------------
Re: Investigator UI meta-alerts
Posted by Carolyn Duby <cd...@hortonworks.com>.
Hi Oliver
I still saw Meta alerts even when I was filtering for alerts = true but I am using an earlier version.
You may want to try filtering by score instead. A meta-alert should have a non-zero score if it includes alerts.
Carolyn Duby
Solutions Engineer, Northeast
cduby@hortonworks.com
+1.508.965.0584
Join my team!
Enterprise Account Manager – Boston - http://grnh.se/wepchv1
Solutions Engineer – Boston - http://grnh.se/8gbxy41
Need Answers? Try https://community.hortonworks.com <https://community.hortonworks.com/answers/index.html>
On 7/2/18, 5:13 AM, "Oliver Fletcher" <Ol...@gresearch.co.uk> wrote:
>Hi Guys,
>
>
>I have a quick question regarding the usability of meta-alerts within the investigator UI. We have a high(ish) volume log source (firewall logs, with accept packets being logged). Threat intelligence feeds will match connections to rouge IP addresses and the investigator UI is showing hits with a threat score as advertised.
>
>
>The issue I'm experiencing is that I have to place a filter 'is_alert:true' within the search bar, otherwise I'll pull in millions of non-interesting events. This view gives me a powerful threat score alert feed, however, when I merge together a group of alerts into a meta-alert, it will not appear in this filtered search any more (because I've specified 'is_alert:true'). If I remove this filter I'll have to trundle through a few billion events to find the meta-alert! It's effectively disappeared into the ether.
>
>
>Have I implemented this abnormally? It seems that the investigator UI could do with an implicit is_alert:true filter? Then allowing meta-grouped alerts to float into this implicit search base?
>
>
>Cheers,
>
>Oliver Fletcher
>
>?
>
>--------------
>G-RESEARCH believes the information provided herein is reliable. While every care has been taken to ensure accuracy, the information is furnished to the recipients with no warranty as to the completeness and accuracy of its contents and on condition that any errors or omissions shall not be made the basis of any claim, demand or cause of action.
>The information in this email is intended only for the named recipient. If you are not the intended recipient please notify us immediately and do not copy, distribute or take action based on this e-mail.
>All messages sent to and from this e-mail address will be logged by G-RESEARCH and are subject to archival storage, monitoring, review and disclosure.
>G-RESEARCH is the trading name of Trenchant Limited, 5th Floor, Whittington House, 19-30 Alfred Place, London WC1E 7EA.
>Trenchant Limited is a company registered in England with company number 08127121.
>--------------