Support Questions
Find answers, ask questions, and share your expertise

How to correlate logs from different assets with Metron to trigger complex use cases ?


I am a Metron newbie looking if it can fit my needs. Say I want to trigger an alarm from an event in the firewall and another one in the Active Directory :

if event1 and event2 then set alarm_xxx

What workflow / tools are required with Metron please ?



Hi @Alan B,

You can perform logic operations, profiling and create scores and alerts based on that results. You can also use MaaS (Model-as-a-Service) to deploy models and create alerts based on results, etc.

Basically Metron has available a wide number of options to perform a variety of cases, in that way, is quite open.

Visit the following documentation for more information:

Visit also the Stellar Language doc:

Metron lives atop of Hadoop Stack, in that way, you will have the following requirements:

  • Apache Hadoop;
  • Apache Storm;
  • Apache Kafka;
  • Apache HBase;
  • Apache ZooKeeper.

Visit the following documentation for more information about requirements of HCP/Metron:

Hope it helps!



Thanks Gonçalo. To be sure, can you confirm Stellar can be used as a correlation engine in Metron i.e. real time alerting based on logical rules and anything Stellar can do ?


Metron has several stages where the event is processed, for example, after you parsed your event you can enrich it, that can be done with Stellar using "GEO_GET" function you can get, based on a GEO list, the origin of an IP.

You can also add your own custom functions or you can do logic, arithmetic operations, etc.

Using Metron UI you can see your alerts in real-time, check the page below for more detail about the UI:

I would recommend you to install Metron and try it.



Thank you very much Gonçalo. We are actually in the setup process.

; ;