Hi Laurens, A few quick answers inline…
Simon > On 20 Jan 2018, at 00:37, Laurens Vets <laur...@daemon.be> wrote: > > Hi list, > > I have some general Alerts UI questions/comments/remarks, I hope you don't > mind :) I'm using the UI that's part of Metron 0.4.2. These apply to my > specific use case, so I might be completely wrong in how I use the UI… Comment and feedback are always welcome! > > - When you're talking about 'alerts', from what I can see in the UI, that's > synonymous with just events in elasticsearch right? Wouldn't it make more > sense to treat alerts as events where "is_alert" == True? > At present the search does not exclude non-alerts… it’s maybe a little odd to call it the alerts view right now, but right now it’s the only way to see everything, so this should probably separate out into an ‘everything’ hunting focused view and a alerts only view. The reasons I kinda like the current approach is that it’s good for picking up things that have become alerts because they’re in threat intel for example, along with things clustered against them by something like the new TLSH functions, which makes it easier to combine known alerts with un-detected events in a meta alert. > - It seems that everything I do in the UI is only stored locally? See > https://github.com/apache/metron/tree/master/metron-interface/metron-alerts. > Can this made persistent for multiple people? Yep. A lot of the preferences, saved searched, column layouts etc, are stored in local storage by the browser right now. We need a REST endpoint and to figure out how to store them (against user / against a group / global??? thoughts?) server side. A lot of the mechanism to do that is in, it’s just not quite done done because of those open questions I expect. > > - How can I change the content "Filters" on the left of the UI? You wait for https://github.com/apache/metron/pull/853 <https://github.com/apache/metron/pull/853> to land. > > - How do I create a MetaAlert? You can create a meta-alert from a grouped set of alerts, use the grouping buttons at the top and you’ll find a merge alert. Slightly odd process at the moment true, but a button to create a meta-alert from all the selected, or all the visible alerts on the results page might be a good addition, what do you think? Very quick video of the current method here: https://youtu.be/JkFeNKTOd38 > > - What's the plan regarding notifying someone when alerts triggers? Currently there is no external notification, but the answer here would likely be to consume the indexing topic in kafka and integrate to an enterprise alarm or monitoring system (alerting and alarms is a massive topic which probably deserves its own project beyond metron and I’ve seen people use all sorts of things for this, usually some big enterprisey thing mandated by IT).
