Thank you, Nick.
Would you happen to know if those fields were drawn from a particular schema similar to ECS? My reasoning is if there is a schema out there then my organization would probably benefit by being aware of it when implementing our data structure. Cheers, Tom. From: Nick Allen <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Wednesday, December 4, 2019 at 10:17 AM To: "[email protected]" <[email protected]> Subject: Re: Altering the group by and filter fields in Metron Alerts Hi Tom - Unfortunately, the field names used for grouping in the Alerts UI is not configurable at the moment. The one exception is the "source type" field, but this does not provide the level of configurability that you are looking for. The following field names are used for grouping. Source Type: `source:type` (or `source.type`) Destination IP: `ip_dst_addr` Source IP: `ip_src_addr` Country: `enrichments:geo:ip_dst_addr:country` Ideally, the fields available for grouping could be made configurable, but that change is not trivial. On Tue, Dec 3, 2019 at 6:18 PM Yerex, Tom <[email protected]> wrote: Good afternoon, This applies to Metron 0.7.1. I am working with the Metron Alerts interface to expose data from the Metron geographic outliers case study (https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html). We leverage the Elasticsearch common schema as a way to apply consistency to the telemetry we have from a variety of sources. Modifying the columns in Metron Alerts has proven to be fairly straight forward, so instead of “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is used by ECS (https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html). I would like to alter the filters and “Group By” parts of the Metron Alerts interface to reflect the fields from ECS, is this possible in the current set up? If this is not possible, is the Metron project referencing a particular schema for the field names? Thank you, Tom. -- Tom Yerex Cybersecurity Analyst, Information Technology Cybersecurity | CISO Office The University of British Columbia | Musqueam Traditional Territory Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada Phone 604 822 6531 Privacy Matters @ UBC
smime.p7s
Description: S/MIME cryptographic signature
