Re: metron alerts UI is empty

jnarayanan · ‎12-13-2017

I have ingested squid telemtery into metron and can see alerts in the kibana dashboard (I have injested threat intel and setup risk scoring). However the metron alerts UI is empty. Do I need additional configuration for these alerts to show up in the alerts UI?

nallen · ‎12-13-2017

Only 'alerts' will appear in the Alerts UI. So what is an alert then, you ask?

Well, not all telemetry in Metron is treated as an alert. Only telemetry that is specifically marked with a field { "is_alert": "true" } is treated as an alert. This gives the user the flexibility to define which telemetry will go through additional threat triage processing.

In your case, the Squid telemetry does not have this field and so is not treated as an alert. For testing purposes, you can add this field to your Squid telemetry by creating a simple enrichment that adds the field "is_alert" and sets it to "true".

Hope this makes sense.

jnarayanan · ‎12-14-2017

The squid telemetry does have is_alert true.that is the first thing I checked. I have done threat intel enrichment and is_alert is set to true based on the threat intel

nallen · ‎12-14-2017

Do you see anything in the Alerts UI? Or is just this specific Squid data that is missing? What version of Metron are you running? How did you deploy Metron?

jnarayanan · ‎12-14-2017

Nothing at all in the alerts UI. I see 5 alerts in kibanan and 12 non alert events. But alerts UI is empty. I am running 1.3.1.0-37 installed through the ambari mpack

jnarayanan · ‎12-14-2017

hcp 1.3.1.0-37

MladenTrampic · ‎12-15-2017

I've been facing same issue, metron-alarms-ui wasn't receiving any alarms, after applying changes to template and adding field "alert", type nested, metron-alarms-ui started receiving some messages(little bit messed up, which is next thing to understand), but looking at your template, i notice that field is_alert is type string, while in my schema it is boolean, maybe this makes some problems.

jnarayanan · ‎12-14-2017

I am running 1.3.1.0-37. Deployed it through the ambari mpack

asubramanian · ‎12-14-2017

@jnarayanan

You might be running into METRON-1283, which is fixed in more recent versions of HCP. You can confirm as follows - Go to http://<es-master-node>:9200/squid*/_mappings, and look for an "alerts" field. If you are missing this field from the mapping, then it is likely the reason for Alerts UI to be empty.

In order to fix the issue, follow these steps:

* Clear all existing Elasticsearch indices

* Go to Ambari UI -> Services -> Metron -> 'Service Actions' dropdown -> Elasticsearch Template Install

* Re-ingest data into 'squid' telemetry.

And you should now be able to see entries in the Alerts UI.

jnarayanan · ‎12-14-2017

I tried re-installing the elastic template. Still no luck