You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@metron.apache.org by "Yerex, Tom" <to...@ubc.ca> on 2019/12/03 23:17:50 UTC

Altering the group by and filter fields in Metron Alerts

Good afternoon,

 

This applies to Metron 0.7.1.

 

I am working with the Metron Alerts interface to expose data from the Metron geographic outliers case study (https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html).

 

We leverage the Elasticsearch common schema as a way to apply consistency to the telemetry we have from a variety of sources. Modifying the columns in Metron Alerts has proven to be fairly straight forward, so instead of “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is used by ECS (https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html).

 

I would like to alter the filters and “Group By” parts of the Metron Alerts interface to reflect the fields from ECS, is this possible in the current set up? If this is not possible, is the Metron project referencing a particular schema for the field names?

 

Thank you,

 

Tom.

 

--

Tom Yerex

Cybersecurity Analyst, Information Technology

Cybersecurity | CISO Office

The University of British Columbia | Musqueam Traditional Territory

Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada

Phone 604 822 6531

Privacy Matters @ UBC

Re: Altering the group by and filter fields in Metron Alerts

Posted by Nick Allen <ni...@nickallen.org>.

I do not believe that they are based on another schema, but I am a bit
foggy about where the names like ip_src_addr and ip_dst_addr originated
from.

On Wed, Dec 4, 2019 at 1:25 PM Yerex, Tom <to...@ubc.ca> wrote:

> Thank you, Nick.
>
>
>
> Would you happen to know if those fields were drawn from a particular
> schema similar to ECS? My reasoning is if there is a schema out there then
> my organization would probably benefit by being aware of it when
> implementing our data structure.
>
>
>
> Cheers,
>
>
>
> Tom.
>
>
>
> *From: *Nick Allen <ni...@nickallen.org>
> *Reply-To: *"user@metron.apache.org" <us...@metron.apache.org>
> *Date: *Wednesday, December 4, 2019 at 10:17 AM
> *To: *"user@metron.apache.org" <us...@metron.apache.org>
> *Subject: *Re: Altering the group by and filter fields in Metron Alerts
>
>
>
> Hi Tom -
>
> Unfortunately, the field names used for grouping in the Alerts UI is not
> configurable at the moment.  The one exception is the "source type" field,
> but this does not provide the level of configurability that you are looking
> for.
>
> The following field names are used for grouping.
>
>    - Source Type: `source:type` (or `source.type`)
>    - Destination IP: `ip_dst_addr`
>    - Source IP: `ip_src_addr`
>    - Country: `enrichments:geo:ip_dst_addr:country`
>
> Ideally, the fields available for grouping could be made configurable, but
> that change is not trivial.
>
>
>
>
>
>
>
>
>
> On Tue, Dec 3, 2019 at 6:18 PM Yerex, Tom <to...@ubc.ca> wrote:
>
> Good afternoon,
>
>
>
> This applies to Metron 0.7.1.
>
>
>
> I am working with the Metron Alerts interface to expose data from the
> Metron geographic outliers case study (
> https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html
> ).
>
>
>
> We leverage the Elasticsearch common schema as a way to apply consistency
> to the telemetry we have from a variety of sources. Modifying the columns
> in Metron Alerts has proven to be fairly straight forward, so instead of
> “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is
> used by ECS (
> https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html).
>
>
>
> I would like to alter the filters and “Group By” parts of the Metron
> Alerts interface to reflect the fields from ECS, is this possible in the
> current set up? If this is not possible, is the Metron project referencing
> a particular schema for the field names?
>
>
>
> Thank you,
>
>
>
> Tom.
>
>
>
> --
>
> *Tom Yerex*
>
> Cybersecurity Analyst, Information Technology
>
> Cybersecurity | CISO Office
>
> The University of British Columbia | Musqueam Traditional Territory
>
> Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada
>
> Phone 604 822 6531
>
> Privacy Matters @ UBC
>
>
>
>

Re: Altering the group by and filter fields in Metron Alerts

Posted by "Yerex, Tom" <to...@ubc.ca>.

Thank you, Nick. 

 

Would you happen to know if those fields were drawn from a particular schema similar to ECS? My reasoning is if there is a schema out there then my organization would probably benefit by being aware of it when implementing our data structure.

 

Cheers,

 

Tom.

 

From: Nick Allen <ni...@nickallen.org>
Reply-To: "user@metron.apache.org" <us...@metron.apache.org>
Date: Wednesday, December 4, 2019 at 10:17 AM
To: "user@metron.apache.org" <us...@metron.apache.org>
Subject: Re: Altering the group by and filter fields in Metron Alerts

 

Hi Tom -

Unfortunately, the field names used for grouping in the Alerts UI is not configurable at the moment.  The one exception is the "source type" field, but this does not provide the level of configurability that you are looking for.

The following field names are used for grouping.

Source Type: `source:type` (or `source.type`)
Destination IP: `ip_dst_addr`
Source IP: `ip_src_addr`
Country: `enrichments:geo:ip_dst_addr:country`
Ideally, the fields available for grouping could be made configurable, but that change is not trivial.

 

 

 

 

On Tue, Dec 3, 2019 at 6:18 PM Yerex, Tom <to...@ubc.ca> wrote:

Good afternoon,

 

This applies to Metron 0.7.1.

 

I am working with the Metron Alerts interface to expose data from the Metron geographic outliers case study (https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html).

 

We leverage the Elasticsearch common schema as a way to apply consistency to the telemetry we have from a variety of sources. Modifying the columns in Metron Alerts has proven to be fairly straight forward, so instead of “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is used by ECS (https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html).

 

I would like to alter the filters and “Group By” parts of the Metron Alerts interface to reflect the fields from ECS, is this possible in the current set up? If this is not possible, is the Metron project referencing a particular schema for the field names?

 

Thank you,

 

Tom.

 

--

Tom Yerex

Cybersecurity Analyst, Information Technology

Cybersecurity | CISO Office

The University of British Columbia | Musqueam Traditional Territory

Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada

Phone 604 822 6531

Privacy Matters @ UBC

Re: Altering the group by and filter fields in Metron Alerts

Posted by Nick Allen <ni...@nickallen.org>.

Hi Tom -

Unfortunately, the field names used for grouping in the Alerts UI is not
configurable at the moment.  The one exception is the "source type" field,
but this does not provide the level of configurability that you are looking
for.

The following field names are used for grouping.

   - Source Type: `source:type` (or `source.type`)
   - Destination IP: `ip_dst_addr`
   - Source IP: `ip_src_addr`
   - Country: `enrichments:geo:ip_dst_addr:country`

Ideally, the fields available for grouping could be made configurable, but
that change is not trivial.




On Tue, Dec 3, 2019 at 6:18 PM Yerex, Tom <to...@ubc.ca> wrote:

> Good afternoon,
>
>
>
> This applies to Metron 0.7.1.
>
>
>
> I am working with the Metron Alerts interface to expose data from the
> Metron geographic outliers case study (
> https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html
> ).
>
>
>
> We leverage the Elasticsearch common schema as a way to apply consistency
> to the telemetry we have from a variety of sources. Modifying the columns
> in Metron Alerts has proven to be fairly straight forward, so instead of
> “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is
> used by ECS (
> https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html).
>
>
>
> I would like to alter the filters and “Group By” parts of the Metron
> Alerts interface to reflect the fields from ECS, is this possible in the
> current set up? If this is not possible, is the Metron project referencing
> a particular schema for the field names?
>
>
>
> Thank you,
>
>
>
> Tom.
>
>
>
> --
>
> *Tom Yerex*
>
> Cybersecurity Analyst, Information Technology
>
> Cybersecurity | CISO Office
>
> The University of British Columbia | Musqueam Traditional Territory
>
> Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada
>
> Phone 604 822 6531
>
> Privacy Matters @ UBC
>
>
>