metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ahmed Shah <>
Subject Metron - Emailing Alerts
Date Wed, 13 Dec 2017 19:06:32 GMT
Just wondering if Metron has a feature to email alerts based on rules that a user defines.

Rule A: Email the user whenever ip_src_addr=100.2.10.*
Rule B: Email the user whenever payload contains "critical"

If not, does anyone have any recommendations on where to code these rules in the Metron stack
that uses attributes from the GROK parser?

Ahmed Shah (PMP, M. Eng.)
Cybersecurity Analyst & Developer
GCR - Cybersecurity Operations Center
Carleton University -<>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message