Hi, you define your alert by setting the variable "is_alert" in the enrichments.json of your sensor to "true".
"is_alert := true" On the right side of the assignment symbol you can define any boolean expression. Check out this example here: https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html where "is_alert := is_alert || (geo_outlier != null && geo_outlier == true)" Best, Stefan On Thu, Apr 4, 2019 at 3:05 PM Meenakshi.S < [email protected]> wrote: > Hi Stéphane > > > > Yes you are correct . After changing it to 1 as it Is a single node > installation it worked . > > > > I am seeing my records in the management gui . > > > > I haven’t loaded any threat intel data’s in my db .. So how to make it so > that it is classified as an alert > > > > Regards, > > Meenakshi > > > > *From:* [email protected] [mailto:[email protected]] > *Sent:* 04 April 2019 18:18 > *To:* [email protected]; [email protected] > *Subject:* RE: Not seeing feeds in metron -alerts ui > > > > Hello, > > > > How many ES data nodes do you have? Given the following setting: > > gateway: > > recover_after_data_nodes: 3 > > > > you must have at least 3 living data nodes to have a working ES cluster. I > faced this issue last week after my install. > > > > > > Stéphane > > > > > > *From:* Meenakshi.S [mailto:[email protected] > <[email protected]>] > *Sent:* Thursday, April 04, 2019 14:44 > *To:* [email protected] > *Subject:* RE: Not seeing feeds in metron -alerts ui > > > > Hi > > > > Elastic search health is red in kibana and we are getting cluster block > exception elasticsearch. > > > > Kibana dashboard is not up . > > > > These are my config details It is a single node installation > > > > Regards, > > Meenakshi > > > > ElasticSearch.yml > > > > cluster: > > name: metron > > routing: > > allocation.node_concurrent_recoveries: 4 > > allocation.disk.watermark.low: .97 > > allocation.disk.threshold_enabled: true > > allocation.disk.watermark.high: 0.99 > > > > discovery: > > zen: > > ping: > > unicast: > > hosts: ["10.3.1.67"] > > > > node: > > data: true > > master: true > > name: node1 > > path: > > data: "/opt/lmm/es_data" > > > > http: > > port: 9200-9300 > > cors.enabled: "false" > > > > > > transport: > > tcp: > > port: 9300-9400 > > > > gateway: > > recover_after_data_nodes: 3 > > recover_after_time: 15m > > expected_data_nodes: 0 > > > > # > https://www.elastic.co/guide/en/elasticsearch/guide/current/indexing-performance.html > > indices: > > store.throttle.type: none > > memory: > > index_buffer_size: 10% > > fielddata: > > cache.size: 25% > > > > bootstrap: > > memory_lock: true > > system_call_filter: false > > > > thread_pool: > > bulk: > > queue_size: 3000 > > index: > > queue_size: 1000 > > > > discovery.zen.ping_timeout: 5s > > discovery.zen.fd.ping_interval: 15s > > discovery.zen.fd.ping_timeout: 60s > > discovery.zen.fd.ping_retries: 5 > > discovery.zen.minimum_master_nodes: 1 > > > > network.host: [ _local_, _site_ ] > > network.publish_host: [] > > > > > > Error > > > > {"error":{"root_cause":[{"type":"cluster_block_exception","reason":"blocked > by: [SERVICE_UNAVAILABLE/1/state not recovered / > initialized];"}],"type":"cluster_block_exception","reason":"blocked by: > [SERVICE_UNAVAILABLE/1/state not recovered / initialized];"},"status":503} > > > > > > > > *From:* Michael Miklavcic [mailto:[email protected] > <[email protected]>] > *Sent:* 03 April 2019 20:15 > *To:* [email protected]; [email protected] > *Subject:* Re: Not seeing feeds in metron -alerts ui > > > > I think I need a bit more context. Are you saying it makes it to indexing > and then never makes it to ES or Solr? Are you running fulldev or another > type of manual installation? Which index tool are you using, es or solr? > > > > On Wed, Apr 3, 2019, 5:26 AM Meenakshi.S < > [email protected]> wrote: > > Hi Team, > > > > I am able to insert snort related feeds to metron . > > > > I am able to see the feed till the indexing kakfka topic . After that I am > not able to trace it . Any help is highly appreciated > > > > > > Regards, > > Meenakshi > > _________________________________________________________________________________________________________________________ > > > > Ce message et ses pieces jointes peuvent contenir des informations > confidentielles ou privilegiees et ne doivent donc > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu > ce message par erreur, veuillez le signaler > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages > electroniques etant susceptibles d'alteration, > > Orange decline toute responsabilite si ce message a ete altere, deforme ou > falsifie. Merci. > > > > This message and its attachments may contain confidential or privileged > information that may be protected by law; > > they should not be distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender and delete > this message and its attachments. > > As emails may be altered, Orange is not liable for messages that have been > modified, changed or falsified. > > Thank you. > > -- Stefan Kupstaitis-Dunkler https://datahovel.com/ https://twitter.com/StefanDunkler
