Good afternoon,
This applies to Metron 0.7.1. I am working with the Metron Alerts interface to expose data from the Metron geographic outliers case study (https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html). We leverage the Elasticsearch common schema as a way to apply consistency to the telemetry we have from a variety of sources. Modifying the columns in Metron Alerts has proven to be fairly straight forward, so instead of “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is used by ECS (https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html). I would like to alter the filters and “Group By” parts of the Metron Alerts interface to reflect the fields from ECS, is this possible in the current set up? If this is not possible, is the Metron project referencing a particular schema for the field names? Thank you, Tom. -- Tom Yerex Cybersecurity Analyst, Information Technology Cybersecurity | CISO Office The University of British Columbia | Musqueam Traditional Territory Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada Phone 604 822 6531 Privacy Matters @ UBC
smime.p7s
Description: S/MIME cryptographic signature
