Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Metron is_alert=true is coming in profiler_* index but not in sensor index

Highlighted

Metron is_alert=true is coming in profiler_* index but not in sensor index

New Contributor

Metron is_alert true is coming in profiler_* index but not in sensor index as well as in Alert UI.

The Profiler I've defined is as below:

{
  "profiles": [
    {
      "profile": "auditfile_anomaly",
      "foreach": "userid",
      "onlyif": "((command == 'cat' and success == 'no') || (command == 'mv' and success == 'no') || (command == 'chmod' and success == 'no') || (command == 'ls' and success == 'no') || (command == 'cp' and success == 'no') || (command == 'vi' and success == 'no'))",
      "init":    { "count": "0" },
      "update":  { "count": "count + 1" },
      "result":  {"profile" : "count",
				  "triage": {"fileanomaly_count": "count"}
				 }
    }
]

}

And then I'm calling the result from my enrichment fieldmap (I've tried in threat intel also) with the below logic:

"stellar": {
				"config": [
					"user_file_access:= PROFILE_GET( 'auditfile_anomaly', userid, PROFILE_FIXED( 15, 'MINUTES'))",
					"anomaly_count := TO_INTEGER(user_file_access)",
					"file_anomaly := anomaly_count >= 1",
					"is_alert := exists(is_alert) && is_alert",
					"is_alert := is_alert || (file_anomaly != null && file_anomaly == true)",
					"user_file_access := null"
				]
			}

But its resulting only all FALSE "file_anomaly" attributes in my sensor ES index whereas I'm receiving is_alert=true value in my profiler ES index for 3 entities which is correct as per my data set.

Please help me out of that.

@nallen@asubramanian@Anil Reddy: tagging you as you can help me quickly. Please don't mind!