Github user justinleet commented on the issue: https://github.com/apache/metron/pull/824 ## Changing Metaalert status ### Find two alerts ``` /api/v1/search/search curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "fields": [ "guid" ], "from": 0, "indices": [ "snort" ], "query": "ip_dst_addr:192.168.66.121", "size": 2 }' 'http://node1:8082/api/v1/search/search' ``` Results in two guids: ``` 8b8314d4-277b-44dc-a75b-04b0cdcedb40 4ac26cf7-ab93-4940-9a0e-8e7f4d67736d ``` ### Create a metaalert with the alerts ``` /api/v1/metaalert/create curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "alerts": [ { "guid": "8b8314d4-277b-44dc-a75b-04b0cdcedb40", "index": "snort_index_2017.11.15.17", "sensorType": "snort" }, { "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "index": "snort_index_2017.11.15.17", "sensorType": "snort" } ], "groups": [ "test" ] }' 'http://node1:8082/api/v1/metaalert/create' ``` Make sure to get the resulting guid from the response. ``` da60ccc9-9e79-45c5-be07-0a322c8791f0 ``` ### Retrieve the meta alert and ensure it contains the provided alerts ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Change the meta alert status to active This makes sure nothing happens when we set active status to the same active status. ``` /api/v1/metaalert/update/status/{guid}/{status} curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/active' ``` It should return false, as no status has changed. ### Retrieve the metaalert and ensure it is still active Look for the 'status' field. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Retrieve the child alerts Ensure both alerts have the 'metaalerts' field populated with the parent meta alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Change the meta alert status to inactive Look for the 'status' field. Running this once will set it to 'inactive'. Subsequent runs have no effect ('inactive' -> 'inactive' does nothing). ``` /api/v1/metaalert/update/status/{guid}/{status} curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/inactive' ``` It should return true, because the status has changed. ### Retrieve the metaalert and ensure it is inactive ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Retrieve the child alerts Ensure neither alert has the 'metaalerts' field populated with the parent meta alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Change status back to active ``` /api/v1/metaalert/update/status/{guid}/{status} curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' 'http://node1:8082/api/v1/metaalert/update/status/da60ccc9-9e79-45c5-be07-0a322c8791f0/active' ``` It should return false, as no status has changed. ### Retrieve the metaalert and ensure it is active again Look for the 'status' field. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid": "da60ccc9-9e79-45c5-be07-0a322c8791f0", "index": "metaalert_index", "sensorType": "metaalert" }' 'http://node1:8082/api/v1/search/findOne' ``` ### Retrieve the child alerts Ensure both alerts have the 'metaalerts' field populated with the parent meta alert. ``` /api/v1/search/findOne curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"8b8314d4-277b-44dc-a75b-04b0cdcedb40", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ "guid":"4ac26cf7-ab93-4940-9a0e-8e7f4d67736d", "sensorType": "snort" }' 'http://node1:8082/api/v1/search/findOne' ```
---