Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to correlate logs from different assets with Metron to trigger complex use cases ?

abras
Explorer

Created ‎06-05-2018 02:08 PM

I am a Metron newbie looking if it can fit my needs. Say I want to trigger an alarm from an event in the firewall and another one in the Active Directory : 

if event1 and event2 then set alarm_xxx

What workflow / tools are required with Metron please ?

1,085 Views
0 Kudos
Tags (1)
4 REPLIES 4

gcunha
Contributor

Created ‎06-06-2018 02:23 PM

Hi @Alan B,

You can perform logic operations, profiling and create scores and alerts based on that results. You can also use MaaS (Model-as-a-Service) to deploy models and create alerts based on results, etc.

Basically Metron has available a wide number of options to perform a variety of cases, in that way, is quite open.

Visit the following documentation for more information:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_analytics/content/overview.html

Visit also the Stellar Language doc:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_stellar-quick-ref/content/intro.html

Metron lives atop of Hadoop Stack, in that way, you will have the following requirements:

  • Apache Hadoop;
  • Apache Storm;
  • Apache Kafka;
  • Apache HBase;
  • Apache ZooKeeper.

Visit the following documentation for more information about requirements of HCP/Metron:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_installation/content/software_req.html

Hope it helps!

Gonçalo

999 Views

abras
Explorer

Created ‎06-06-2018 02:49 PM

Thanks Gonçalo. To be sure, can you confirm Stellar can be used as a correlation engine in Metron i.e. real time alerting based on logical rules and anything Stellar can do ?

999 Views
0 Kudos

gcunha
Contributor

Created ‎06-06-2018 03:07 PM

Metron has several stages where the event is processed, for example, after you parsed your event you can enrich it, that can be done with Stellar using "GEO_GET" function you can get, based on a GEO list, the origin of an IP.

You can also add your own custom functions or you can do logic, arithmetic operations, etc.

Using Metron UI you can see your alerts in real-time, check the page below for more detail about the UI:

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.5.0/bk_user-guide/content/using_alerts_table.ht...

I would recommend you to install Metron and try it.

Gonçalo

999 Views
0 Kudos

abras
Explorer

Created ‎06-06-2018 03:26 PM

Thank you very much Gonçalo. We are actually in the setup process.

999 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Announcements
Community Announcements
Introducing Community Tours
What's New @ Cloudera
Cloudera Machine Learning now supports adding or replacing GPUs in CML Workspaces
Product Announcements
[ANNOUNCE] Cloudera ODBC Connector version 2.6.16 for Impala Released
What's New @ Cloudera
CML's new Data Discovery and Visualization feature accelerates the data science process and reduces time to insights
What's New @ Cloudera
COD now supports replications for META regions enabled by default
View More Announcements
; ;