[GitHub] metron issue #824: METRON-1289: Alert fields are lost when a MetaAlert is cr...

Tue, 14 Nov 2017 09:23:15 -0800 

Github user justinleet commented on the issue:

    https://github.com/apache/metron/pull/824
  
    @iraghumitra I'm unable to duplicate the grouping on the current code 
(although I admittedly ran through a pretty basic example). Here's what I did, 
so let me know if I missed something, or you have a particular query you made.
    
    ### Find an alert
    ```
    /api/v1/search/search
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "fields": [
        "guid"
      ],
      "from": 0,
      "indices": [
        "snort"
      ],
      "query": "ip_dst_addr:192.168.66.121",
      "size": 1
    }' 'http://node1:8082/api/v1/search/search'
    ```
    
    In this case, I just grabbed one:
    ```
    "d29925a7-da80-49d0-b7b5-0663380d526f":"snort_index_2017.11.14.15"
    ```
    
    ### Retrieve that alert from findOne to get something to group by
    ```
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "d29925a7-da80-49d0-b7b5-0663380d526f",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    I'll group, arbitrarily, with:
    ```
    "ip_dst_addr": "192.168.66.121"
    ```
    
    ### Run a group by
    ```
    /api/v1/search/group
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "groups": [
        {
          "field": "ip_dst_addr"
        }
      ],
      "indices": [
        "snort",
        "metaalert"
      ],
      "query":"ip_dst_addr:192.168.66.121"
    }' 'http://node1:8082/api/v1/search/group'
    ```
    
    Results in:
    ```
    {
      "groupedBy": "ip_dst_addr",
      "groupResults": [
        {
          "key": "192.168.66.121",
          "total": 1299,
          "score": null
        }
      ]
    }
    ```
    
    ### Create a metaalert with that GUID
    ```
    /api/v1/metaalert/create
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "groups": [
        "test"
      ],
      "guidToIndices": {
    "adf65dbb-73fd-4347-a61d-a990166fbbb1":"snort_index_2017.11.14.15"
    }
    }' 'http://node1:8082/api/v1/metaalert/create'
    ```
    
    It returns the guid, in this case:
    ```
    715538d9-7f4f-4316-b149-a9659df06de4
    ```
    
    ### (Optionally) Look up the metaalert to double check it was created as 
expected.
    ```
    /api/v1/search/findOne
    
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "guid": "715538d9-7f4f-4316-b149-a9659df06de4",
      "sensorType": "metaalert"
    }' 'http://node1:8082/api/v1/search/findOne'
    ```
    
    ### Run the group by from before
    ```
    /api/v1/search/group
    curl -X POST --header 'Content-Type: application/json' --header 'Accept: 
application/json' -d '{
      "groups": [
        {
          "field": "ip_dst_addr"
        }
      ],
      "indices": [
        "snort",
        "metaalert"
      ],
      "query":"ip_dst_addr:192.168.66.121"
    }' 'http://node1:8082/api/v1/search/group'
    ```
    
    Validate that the count has gone down by one (since the metaalert doesn't 
return and the child alert is now hidden:
    ```
    {
      "groupedBy": "ip_dst_addr",
      "groupResults": [
        {
          "key": "3232252537",
          "total": 1298,
          "score": null
        }
      ]
    }
    ```


---

Reply via email to