Some Metron Alerts UI questions

[Laurens Vets <la...@daemon.be>]

Hi list,

I have some general Alerts UI questions/comments/remarks, I hope you 
don't mind :) I'm using the UI that's part of Metron 0.4.2. These apply 
to my specific use case, so I might be completely wrong in how I use the 
UI...

- When you're talking about 'alerts', from what I can see in the UI, 
that's synonymous with just events in elasticsearch right? Wouldn't it 
make more sense to treat alerts as events where "is_alert" == True?

- It seems that everything I do in the UI is only stored locally? See 
https://github.com/apache/metron/tree/master/metron-interface/metron-alerts. 
Can this made persistent for multiple people?

- How can I change the content "Filters" on the left of the UI?

- How do I create a MetaAlert?

- What's the plan regarding notifying someone when alerts triggers?

Re: Some Metron Alerts UI questions

["Vets, Laurens" <la...@daemon.be>]

Thanks for the answers Simon!

On 22-Jan-18 10:05, Simon Elliston Ball wrote:
> Hi Laurens,
>
> A few quick answers inline…
>
> Simon
>
>> On 20 Jan 2018, at 00:37, Laurens Vets <laurens@daemon.be 
>> <ma...@daemon.be>> wrote:
>>
>> Hi list,
>>
>> I have some general Alerts UI questions/comments/remarks, I hope you 
>> don't mind :) I'm using the UI that's part of Metron 0.4.2. These 
>> apply to my specific use case, so I might be completely wrong in how 
>> I use the UI…
>
> Comment and feedback are always welcome!
>
>>
>> - When you're talking about 'alerts', from what I can see in the UI, 
>> that's synonymous with just events in elasticsearch right? Wouldn't 
>> it make more sense to treat alerts as events where "is_alert" == True?
>
> At present the search does not exclude non-alerts… it’s maybe a little 
> odd to call it the alerts view right now, but right now it’s the only 
> way to see everything, so this should probably separate out into an 
> ‘everything’ hunting focused view and a alerts only view.
>
> The reasons I kinda like the current approach is that it’s good for 
> picking up things that have become alerts because they’re in threat 
> intel for example, along with things clustered against them by 
> something like the new TLSH functions, which makes it easier to 
> combine known alerts with un-detected events in a meta alert.
>
>> - It seems that everything I do in the UI is only stored locally? See 
>> https://github.com/apache/metron/tree/master/metron-interface/metron-alerts. 
>> Can this made persistent for multiple people?
>
> Yep. A lot of the preferences, saved searched, column layouts etc, are 
> stored in local storage by the browser right now. We need a REST 
> endpoint and to figure out how to store them (against user / against a 
> group / global??? thoughts?) server side. A lot of the mechanism to do 
> that is in, it’s just not quite done done because of those open 
> questions I expect.
>
>> - How can I change the content "Filters" on the left of the UI?
>
> You wait for https://github.com/apache/metron/pull/853 to land.
>
>> - How do I create a MetaAlert?
>
> You can create a meta-alert from a grouped set of alerts, use the 
> grouping buttons at the top and you’ll find a merge alert. Slightly 
> odd process at the moment true, but a button to create a meta-alert 
> from all the selected, or all the visible alerts on the results page 
> might be a good addition, what do you think?
>
> Very quick video of the current method here: https://youtu.be/JkFeNKTOd38
>
>> - What's the plan regarding notifying someone when alerts triggers?
>
> Currently there is no external notification, but the answer here would 
> likely be to consume the indexing topic in kafka and integrate to an 
> enterprise alarm or monitoring system (alerting and alarms is a 
> massive topic which probably deserves its own project beyond metron 
> and I’ve seen people use all sorts of things for this, usually some 
> big enterprisey thing mandated by IT).

Re: Some Metron Alerts UI questions

[Simon Elliston Ball <si...@simonellistonball.com>]

Hi Laurens, 

A few quick answers inline…

Simon

> On 20 Jan 2018, at 00:37, Laurens Vets <la...@daemon.be> wrote:
> 
> Hi list,
> 
> I have some general Alerts UI questions/comments/remarks, I hope you don't mind :) I'm using the UI that's part of Metron 0.4.2. These apply to my specific use case, so I might be completely wrong in how I use the UI…

Comment and feedback are always welcome!

> 
> - When you're talking about 'alerts', from what I can see in the UI, that's synonymous with just events in elasticsearch right? Wouldn't it make more sense to treat alerts as events where "is_alert" == True?
> 

At present the search does not exclude non-alerts… it’s maybe a little odd to call it the alerts view right now, but right now it’s the only way to see everything, so this should probably separate out into an ‘everything’ hunting focused view and a alerts only view.

The reasons I kinda like the current approach is that it’s good for picking up things that have become alerts because they’re in threat intel for example, along with things clustered against them by something like the new TLSH functions, which makes it easier to combine known alerts with un-detected events in a meta alert.

> - It seems that everything I do in the UI is only stored locally? See https://github.com/apache/metron/tree/master/metron-interface/metron-alerts. Can this made persistent for multiple people?

Yep. A lot of the preferences, saved searched, column layouts etc, are stored in local storage by the browser right now. We need a REST endpoint and to figure out how to store them (against user / against a group / global??? thoughts?) server side. A lot of the mechanism to do that is in, it’s just not quite done done because of those open questions I expect. 

> 
> - How can I change the content "Filters" on the left of the UI?

You wait for https://github.com/apache/metron/pull/853 <https://github.com/apache/metron/pull/853> to land. 

> 
> - How do I create a MetaAlert?

You can create a meta-alert from a grouped set of alerts, use the grouping buttons at the top and you’ll find a merge alert. Slightly odd process at the moment true, but a button to create a meta-alert from all the selected, or all the visible alerts on the results page might be a good addition, what do you think?

Very quick video of the current method here: https://youtu.be/JkFeNKTOd38

> 
> - What's the plan regarding notifying someone when alerts triggers?

Currently there is no external notification, but the answer here would likely be to consume the indexing topic in kafka and integrate to an enterprise alarm or monitoring system (alerting and alarms is a massive topic which probably deserves its own project beyond metron and I’ve seen people use all sorts of things for this, usually some big enterprisey thing mandated by IT).