Github user justinleet commented on the issue: https://github.com/apache/metron/pull/824 ## Adding alerts and adding a preexisting alert ### Find two alerts ``` /api/v1/search/search curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "fields": [ "guid" ], "from": 0, "indices": [ "snort" ], "query": "ip_dst_addr:192.168.66.121", "size": 2 }' 'http://node1:8082/api/v1/search/search' ``` Results in two guids: ``` 8b8314d4-277b-44dc-a75b-04b0cdcedb40 4ac26cf7-ab93-4940-9a0e-8e7f4d67736d ``` ### Create a metaalert with only one of the alerts ``` /api/v1/metaalert/create curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "groups": [ "test" ] }' 'http://node1:8082/api/v1/metaalert/create' ``` Make sure to get the resulting guid from the response. ``` 6a4affe4-02ce-4d25-80b1-bfc4ca53f557 ``` ### Retrieve the meta alert and ensure it contains the provided alert ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "6a4affe4-02ce-4d25-80b1-bfc4ca53f557", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Retrieve the child alert and ensure the 'metaalerts' field contains the new GUID of the new metaalert ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Add the same alert to the meta alert ``` /api/v1/metaalert/add/alert curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "metaAlertGuid": "6a4affe4-02ce-4d25-80b1-bfc4ca53f557" }' 'http://node1:8082/api/v1/metaalert/add/alert' ``` It should return "false" as no alerts have been added. The meta alert should be retrieved again to validate. ### Run the add alert again but with the second alert ``` /api/v1/metaalert/add/alert curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" }, { "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "metaAlertGuid": "6a4affe4-02ce-4d25-80b1-bfc4ca53f557" }' 'http://node1:8082/api/v1/metaalert/add/alert' ``` It should return true, because the second alert will be added. The meta alert should be retrieved again to validate. ### Retrieve the child alerts Ensure they have the 'metaalerts' field populated with their parent. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' ```
---