I do not believe that they are based on another schema, but I am a bit foggy about where the names like ip_src_addr and ip_dst_addr originated from.
On Wed, Dec 4, 2019 at 1:25 PM Yerex, Tom <[email protected]> wrote: > Thank you, Nick. > > > > Would you happen to know if those fields were drawn from a particular > schema similar to ECS? My reasoning is if there is a schema out there then > my organization would probably benefit by being aware of it when > implementing our data structure. > > > > Cheers, > > > > Tom. > > > > *From: *Nick Allen <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Wednesday, December 4, 2019 at 10:17 AM > *To: *"[email protected]" <[email protected]> > *Subject: *Re: Altering the group by and filter fields in Metron Alerts > > > > Hi Tom - > > Unfortunately, the field names used for grouping in the Alerts UI is not > configurable at the moment. The one exception is the "source type" field, > but this does not provide the level of configurability that you are looking > for. > > The following field names are used for grouping. > > - Source Type: `source:type` (or `source.type`) > - Destination IP: `ip_dst_addr` > - Source IP: `ip_src_addr` > - Country: `enrichments:geo:ip_dst_addr:country` > > Ideally, the fields available for grouping could be made configurable, but > that change is not trivial. > > > > > > > > > > On Tue, Dec 3, 2019 at 6:18 PM Yerex, Tom <[email protected]> wrote: > > Good afternoon, > > > > This applies to Metron 0.7.1. > > > > I am working with the Metron Alerts interface to expose data from the > Metron geographic outliers case study ( > https://metron.apache.org/current-book/use-cases/geographic_login_outliers/index.html > ). > > > > We leverage the Elasticsearch common schema as a way to apply consistency > to the telemetry we have from a variety of sources. Modifying the columns > in Metron Alerts has proven to be fairly straight forward, so instead of > “ip_src_addr” I can identify a column as “client.ip”, where “client.ip” is > used by ECS ( > https://www.elastic.co/guide/en/ecs/current/ecs-using-ecs.html). > > > > I would like to alter the filters and “Group By” parts of the Metron > Alerts interface to reflect the fields from ECS, is this possible in the > current set up? If this is not possible, is the Metron project referencing > a particular schema for the field names? > > > > Thank you, > > > > Tom. > > > > -- > > *Tom Yerex* > > Cybersecurity Analyst, Information Technology > > Cybersecurity | CISO Office > > The University of British Columbia | Musqueam Traditional Territory > > Ponderosa Office Annex A | Vancouver BC | V6T1Z2 Canada > > Phone 604 822 6531 > > Privacy Matters @ UBC > > > >
