Support Questions
Find answers, ask questions, and share your expertise

metron alerts UI is empty

Explorer

I have ingested squid telemtery into metron and can see alerts in the kibana dashboard (I have injested threat intel and setup risk scoring). However the metron alerts UI is empty. Do I need additional configuration for these alerts to show up in the alerts UI?

16 REPLIES 16

Super Collaborator

Can you paste the output when you open 'http://<es-master-node>:9200/squid*/_mappings' ?

Explorer
properties
action
type"string"
index"not_analyzed"
adapter:geoadapter:begin:ts
type"string"
adapter:geoadapter:end:ts
type"string"
adapter:stellaradapter:begin:ts
type"string"
adapter:stellaradapter:end:ts
type"string"
bytes
type"integer"
code
type"string"
index"not_analyzed"
domain_without_subdomains
type"string"
index"not_analyzed"
elapsed
type"integer"
enrichmentjoinbolt:joiner:ts
type"string"
enrichments:geo:ip_dst_addr:city
type"string"
enrichments:geo:ip_dst_addr:country
type"string"
enrichments:geo:ip_dst_addr:dmaCode
type"string"
enrichments:geo:ip_dst_addr:latitude
type"string"
enrichments:geo:ip_dst_addr:locID
type"string"
enrichments:geo:ip_dst_addr:location_point
type"string"
enrichments:geo:ip_dst_addr:longitude
type"string"
enrichments:geo:ip_dst_addr:postalCode
type"string"
enrichmentsplitterbolt:splitter:begin:ts
type"string"
enrichmentsplitterbolt:splitter:end:ts
type"string"
extra
type"string"
full_hostname
type"string"
index"not_analyzed"
guid
type"string"
ip_dst_addr
type"ip"
ip_dst_port
type"integer"
ip_src_addr
type"ip"
ip_src_port
type"integer"
is_malicious
type"string"
method
type"string"
index"not_analyzed"
original_string
type"string"
source:type
type"string"
index"not_analyzed"
threatinteljoinbolt:joiner:ts
type"string"
threatintelsplitterbolt:splitter:begin:ts
type"string"
threatintelsplitterbolt:splitter:end:ts
type"string"
timestamp
type"date"
format"epoch_millis"
url
type"string"

Explorer
{"squid_index_2017.12.14.09":{"mappings":{"squid_doc":{"_timestamp":{"enabled":true},"properties":{"action":{"type":"string","index":"not_analyzed"},"adapter:simplehbaseadapter:begin:ts":{"type":"string"},"adapter:simplehbaseadapter:end:ts":{"type":"string"},"adapter:threatinteladapter:begin:ts":{"type":"string"},"adapter:threatinteladapter:end:ts":{"type":"string"},"alert":{"type":"nested"},"bytes":{"type":"integer"},"code":{"type":"string","index":"not_analyzed"},"domain_without_subdomains":{"type":"string","index":"not_analyzed"},"elapsed":{"type":"integer"},"enrichmentjoinbolt:joiner:ts":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:domain":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:domain_created_timestamp":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:home_country":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:owner":{"type":"string"},"enrichments:hbaseEnrichment:domain_without_subdomains:whois:registrar":{"type":"string"},"enrichmentsplitterbolt:splitter:begin:ts":{"type":"string"},"enrichmentsplitterbolt:splitter:end:ts":{"type":"string"},"full_hostname":{"type":"string","index":"not_analyzed"},"guid":{"type":"string"},"ip_dst_addr":{"type":"string","index":"not_analyzed"},"ip_src_addr":{"type":"string"},"is_alert":{"type":"string"},"method":{"type":"string","index":"not_analyzed"},"original_string":{"type":"string"},"source:type":{"type":"string","index":"not_analyzed"},"threat:triage:rules:0:comment":{"type":"string"},"threat:triage:rules:0:name":{"type":"string"},"threat:triage:rules:0:reason":{"type":"string"},"threat:triage:rules:0:score":{"type":"long"},"threat:triage:rules:1:comment":{"type":"string"},"threat:triage:rules:1:name":{"type":"string"},"threat:triage:rules:1:reason":{"type":"string"},"threat:triage:rules:1:score":{"type":"long"},"threat:triage:score":{"type":"double"},"threatinteljoinbolt:joiner:ts":{"type":"string"},"threatintels:hbaseThreatIntel:domain_without_subdomains:zeusList":{"type":"string"},"threatintelsplitterbolt:splitter:begin:ts":{"type":"string"},"threatintelsplitterbolt:splitter:end:ts":{"type":"string"},"timestamp":{"type":"date","format":"epoch_millis"},"url":{"type":"string"}}}}}}

Super Collaborator

Hmm... this seems about right to me. It should be working, in principle.

In my environment, I have seen snort alerts working readily. Can you try ingesting the following sample messages into the 'snort' kafka topic and check if you are able to see them in the UI? I would like to see if this works for you, and to ascertain if it is an issue with 'squid' only.

09/09/16-09:09:09.844676 ,1,999158,0,"snort test alert",TCP,192.168.138.158,49188,62.75.195.236,80,00:00:00:00:00:00,00:00:00:00:00:00,0x3C,***A****,0xF017C4DA,0xABDB8426,,0xF6C9,128,0,2319,40,40960,,,,

Explorer

I tried changing the is_alert field in the template to boolean and deleted and recreated the index. But no luck. I already have alert as a nested field in my template

Super Collaborator

This looks like a defect. I have created METRON-1369 to track this.

New Contributor

I am facing the same issue. @jnarayanan have you able to resolve it?