Hi Tom - Unfortunately, the field names used for grouping in the Alerts UI is not configurable at the moment. The one exception is the "source type" field, but this does not provide the level of configurability that you are looking for.
The following field names are used for grouping. - Source Type: `source:type` (or `source.type`) - Destination IP: `ip_dst_addr` - Source IP: `ip_src_addr` - Country: `enrichments:geo:ip_dst_addr:country` Ideally, the fields available for grouping could be made configurable, but that change is not trivial. On Tue, Dec 3, 2019 at 6:18 PM Yerex, Tom <[email protected]> wrote: > Good afternoon, > > > > This applies to Metron 0.7.1. > > > > I am working with the Metron Alerts interface to expose data from the > Metron geographic outliers case study ( > https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html > ). > > > > We leverage the Elasticsearch common schema as a way to apply consistency > to the telemetry we have from a variety of sources. Modifying the columns > in Metron Alerts has proven to be fairly straight forward, so instead of > “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is > used by ECS ( > https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html). > > > > I would like to alter the filters and “Group By” parts of the Metron > Alerts interface to reflect the fields from ECS, is this possible in the > current set up? If this is not possible, is the Metron project referencing > a particular schema for the field names? > > > > Thank you, > > > > Tom. > > > > -- > > *Tom Yerex* > > Cybersecurity Analyst, Information Technology > > Cybersecurity | CISO Office > > The University of British Columbia | Musqueam Traditional Territory > > Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada > > Phone 604 822 6531 > > Privacy Matters @ UBC > > >
