Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Metron Alert UI: Alerts not appearing in merton-alerts UI

Labels:
anilcseiitm2006
Explorer

Created on ‎03-22-2018 09:16 AM - edited ‎08-18-2019 12:28 AM

I am trying to develop an usecase with metron.

The end-to-end usecase is, we need to calculate the count of number of events happened for each ip’s. Based on the count reaching above the threshold count generate an alerts in the merton alerts-UI.

For that, I have the events data coming to “indexing” kafka topic. I created a profile in ${METRON_HOME}/config/zookeeper/profiler.json as below.

{ 
"profiles": [ 
{ 
"profile": "demo_iplogon_failed", 
"foreach": "ip_address", 
"onlyif": "source.type == 'demo_windowsnxlog' and event_id ==
'4625'", 
"init": { 
"count": "0" 
}, 
"update": { 
"count": "count + 1" 
}, 
"result": { 
"profile" : "count", 
"triage": { 
"logon_failed_count": "count" 
} 
} 
}  
]}

After reloading the zookeeper config files, I see the indices created in ElasticSearch with format profile_index_yyyy.MM.dd.HH and the snapshot of record is in attached snapshot

64759-sanpshot-of-profile-index-record.jpg

I see all the records in the profiler_index_* pattern have field is_alert=”true”. But I don’t see these records turn up as alerts in the metron-alerts UI.

I would like to figure out the reason for alerts not turning up in the metron-alerts UI ?

I am seeing is_alerts=”true” for all the records under profiler_index_*. How can I configure to set is_alert=”true” only when the count exceeds the threshold value ?

@nallen @asubramanian: tagging you as you can help me quickly. Please don't mind!

1,251 Views
0 Kudos
3 REPLIES 3

nallen
Rising Star

Created ‎03-22-2018 07:33 PM

> I would like to figure out the reason for alerts not turning up in the metron-alerts UI ?

I believe it is because the Alerts UI has not been configured to look at the `profiler_index_*` indices that have been created. Right now, the Alerts UI only looks at the indices that have been created for each sensor.

> I am seeing is_alerts=”true” for all the records under profiler_index_*.

The `is_alerts` value is set to true when those messages are generated by the Profiler. The purpose of sending messages back into Kafka from the Profiler, is to enable use of the Threat Triage mechanism. That is why they are always set to true.

> How can I configure to set is_alert=”true” only when the count exceeds the threshold value ?

You would do this by defining a rule in Threat Triage that increase the threat score based on that count exceeding a threshold.

1,004 Views
0 Kudos

anilcseiitm2006
Explorer

Created ‎03-23-2018 01:32 PM

@nallen

can I define the triage in profile definition as blow ??

"triage": {
"name":"Login Failed Anomaly",
"rule": SHELL_GET_EXPRESSION("profileName == 'demo_iplogon_failed' and count > 20"),
"score":"10",
"logon_failed_count": "count"
}
1,004 Views
0 Kudos

nallen
Rising Star

Created ‎03-23-2018 01:54 PM

Please open a separate question if you have issues with Threat Triage.

1,004 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
[ANNOUNCE] Cloudera ODBC Driver 2.6.16 for Apache Hive Released
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
View More Announcements