metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Sirota <jsir...@apache.org>
Subject Re: Metron - Emailing Alerts
Date Wed, 13 Dec 2017 21:23:35 GMT
I agree with Simon.  If you email each alert individually you will be overwhelmed.  I think
a better idea would be to email alert summaries periodically, which is more manageable.  This
is probably a feature worthy of consideration for Metron. 

13.12.2017, 12:19, "Simon Elliston Ball" <simon@simonellistonball.com>:
> Metron generates alerts onto a Kafka queue, which can be used to integrate with Alert
management tools, usually some sort of existing alert aggregation tool.
>
> An alternative approach common with this is to have a tool like Apache NiFi attach to
the Metron alert feed and send email.
>
> The solution here would be to have Metron generate alerts (by adding the is_alert: true
flag in the enrichment process) and possibly other flags like alert_email for example, and
then have NiFi use ConsumeKafka and then filter out the alert only messages in NiFi to use
the PutEmail processor (probably with a ControlRate before it too).
>
> Something I would caution is that email is not a great way to manage or send alerts at
the volume likely to occur in network monitoring tools. A spike in network traffic can lead
to a very large number of emails, which tends to then cause you bigger problems. As such we
usually find people want some sort of buffering or aggregation of alerts, hence the use of
a an alert management or ticketing solution in front.
>
> Simon
>
>>  On 13 Dec 2017, at 19:06, Ahmed Shah <AhmedShah@cmail.carleton.ca> wrote:
>>
>>  Hello,
>>  Just wondering if Metron has a feature to email alerts based on rules that a user
defines.
>>
>>  Example:
>>  Rule A: Email the user 1@1.com whenever ip_src_addr=100.2.10.*
>>  Rule B: Email the user 1@1.com whenever payload contains "critical"
>>
>>  If not, does anyone have any recommendations on where to code these rules in the
Metron stack that uses attributes from the GROK parser?
>>
>>  -Ahmed
>>  _______________________________________________________________
>>  Ahmed Shah (PMP, M. Eng.)
>>  Cybersecurity Analyst & Developer
>>  GCR - Cybersecurity Operations Center
>>  Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php>

------------------- 
Thank you,

James Sirota
PMC- Apache Metron
jsirota AT apache DOT org

Mime
View raw message