https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108386#M42485 <P>hello to all,</P><P>I have reviewed metron docs and it's been indicated (for many times) that telemetry correlation and anomaly detection are two of metron main tasks.</P><P>Now i need to know which components do these tasks. I'm interested to see the source code doing correlation &amp; anomaly detection.</P><P>Has anyone any idea?does anybody know where can I find them?</P><P>Thanks in advance.</P> Sun, 02 Oct 2016 18:07:08 GMT alizadeh_uut1 2016-10-02T18:07:08Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108386#M42485 <P>hello to all,</P><P>I have reviewed metron docs and it's been indicated (for many times) that telemetry correlation and anomaly detection are two of metron main tasks.</P><P>Now i need to know which components do these tasks. I'm interested to see the source code doing correlation &amp; anomaly detection.</P><P>Has anyone any idea?does anybody know where can I find them?</P><P>Thanks in advance.</P> Sun, 02 Oct 2016 18:07:08 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108386#M42485 alizadeh_uut1 2016-10-02T18:07:08Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108387#M42486 <P>In-depth video is helpful: <A href="https://www.youtube.com/watch?v=5a3HywxY2kQ" target="_blank">https://www.youtube.com/watch?v=5a3HywxY2kQ</A></P><P><A href="https://cwiki.apache.org/confluence/display/METRON/Metron+Architecture#MetronArchitecture-Step1-TelemetryEventBuffer" target="_blank">https://cwiki.apache.org/confluence/display/METRON/Metron+Architecture#MetronArchitecture-Step1-TelemetryEventBuffer</A></P><P>Adding a new event source</P><P><A href="https://cwiki.apache.org/confluence/display/METRON/Adding+a+New+Telemetry+Data+Source" target="_blank">https://cwiki.apache.org/confluence/display/METRON/Adding+a+New+Telemetry+Data+Source</A></P><P>Look through the source:</P><P><A href="https://github.com/apache/incubator-metron/tree/4a4cb8b117dbb66bbfb4915bca9d871a06682c28/metron-platform/metron-enrichment" target="_blank">https://github.com/apache/incubator-metron/tree/4a4cb8b117dbb66bbfb4915bca9d871a06682c28/metron-platform/metron-enrichment</A></P><P>Profiling Behavior of Entities</P><P><A href="https://github.com/apache/incubator-metron/tree/4a4cb8b117dbb66bbfb4915bca9d871a06682c28/metron-analytics/metron-profiler" target="_blank">https://github.com/apache/incubator-metron/tree/4a4cb8b117dbb66bbfb4915bca9d871a06682c28/metron-analytics/metron-profiler</A></P><P><A href="https://cwiki.apache.org/confluence/display/METRON/Metron+Wiki" target="_blank">https://cwiki.apache.org/confluence/display/METRON/Metron+Wiki</A></P><P>Models are stored and data is compared against it.</P> Mon, 10 Oct 2016 22:42:50 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108387#M42486 TimothySpann 2016-10-10T22:42:50Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108388#M42487 <P>There are a variety of meanings of correlation in Metron. </P><P>One means is adding correlation keys in the enrichment process, which then allow you to view events together once they are indexed. So you can correlate events by adding a common search key you can then pivot on in Kibana. This is a great means of investigating correlations between alerts and events.</P><P>For a more statistical approach to correlation, you will want to look into the <A href="https://github.com/apache/incubator-metron/tree/master/metron-analytics/metron-profiler">profiler</A> which maintains windows of data, which can then be used to correlate time series data using, for example, arima in a model managed by the <A href="https://github.com/apache/incubator-metron/tree/master/metron-analytics/metron-maas-service">model as a service infrastructure</A>. This area of Metron is growing quite fast at the moment. I would suggest also looking at the <A href="https://github.com/apache/incubator-metron/tree/master/metron-platform/metron-common">Stellar statistics functions</A> which can be used to build simple anomaly based models as well. It's also easy enough to add functions to Stellar if you want to extend the functionality.</P> Sat, 22 Oct 2016 03:16:26 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108388#M42487 sball 2016-10-22T03:16:26Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108389#M42488 <P><A rel="user" href="https://community.cloudera.com/users/104/sball.html" nodeid="104">@Simon Elliston Ball</A> <A rel="user" href="https://community.cloudera.com/users/9304/tspann.html" nodeid="9304">@Timothy Spann</A></P><P>thank you both for your helpful answers, actually it took me a while to go through your links, but now I know what I needed. <A rel="user" href="https://community.cloudera.com/users/9304/tspann.html" nodeid="9304"></A> </P> Mon, 31 Oct 2016 14:51:25 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108389#M42488 alizadeh_uut1 2016-10-31T14:51:25Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108390#M42489 <P>Could you elaborate on your findings please ? How can I trigger a complex alarm involving simple alarms from different logs ? Is Stellar of any help for it ?</P> Wed, 23 May 2018 16:47:27 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Event-Correlation-and-Anomaly-Detection-in-metron/m-p/108390#M42489 abras 2018-05-23T16:47:27Z