THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Fully Automated 10 Node Ansible Based Install on AWSusing Ambari Blueprints and AWS APIs
- If you want a more realistic setup of the Metron app, use this approach. Keep in mind that this install will spin up 10 m4.xlarge EC2 instance by default
- If you want a more realistic setup of the Metron app, use this approach. Keep in mind that this install will spin up 10 m4.xlarge EC2 instance by default
Dev VM Install - Ansible Based Vagrant Single Node VM Install
This install fully automates the provisioning of Apache Metron on single, virtualized host running on Virtualbox. Metron is composed of many components and installing all of these on a single host, especially a virtualized one, will greatly stress your computer. To work sufficiently this will require at least 8 GB of RAM and a fair amount of patience.
See the followiig for instructions: Full Dev Platform
Cloud Install - Fully Automated 10 Node Cluster on AWS
This install fully automates the provisioning of Apache Metron on Amazon EC2 infrastructure. Starting with only your Amazon EC2 credentials, this project will create a fully-functioning, end-to-end, multi-node cluster running Apache Metron.
...
See the following for instructions: Apache Metron on Amazon EC2
Explore Metron UI
Metron provides a Kibana-based UI that is designed to be a single pane of glass to utilize the big data approach (having all data available to you at the same time) to filter through the irrelevant and display the just the information, alerts, and context an analyst/investigator is looking for all on the same pane. The Metron UI has several advantages over conventional SIEM tools, including flexibility, and having the needle as well as all the context for the needle presented together on the same screen, requiring no jumping around from console to console to gather the information.
...
The PCAP panel is backed by the PCAP Service, which will take the 5 tuple + start and end timestamps as arguments and deliver an associated PCAP to the end user. It is then possible to import each PCAP into Wireshark for additional fine-grained analysis of network traffic.
...
Metron UI Use Case: Finding a Needle in the Haystack
Now that we understand how the UI is setup lets run through scenarios for how to filter out the noise to get only to the alerts and context you are looking for. In order to do so we need to define global filters. Global filters are similar to pinned queries, but are applied globally to each UI panel and only display information specified by the query. To define a global query expand the filtering tab and click on the + icon to define n number of filters. For example to filter out the panels to only display http traffic originating from port 80 a series of filters would look as follows:
After these filters are setup all Metron panels will filter through only with the information specified by these queries. This is powerful because since all the telemetries are in a standard Metron JSON format a single filter will be applicable to all telemetry types. So the alerts and meta data entries associated with the set of filters will filter through. Additional filters can be defined for geo data as well as any of the enrichments. So in our example the panels when looking at Snort alerts both histogram and alerts panels would filter as follows:
The same filter would be applied to the rest of the panels so that the contextual information for these alerts would be displayed. The resulting filtered dashboard would look as follows:
The benefit of having this arrangement is that by progressively stacking filters you are able to get just to the information you are looking for. Since every panel updates all the context you need (since every single telemetry source has a panel) is all presented on the same screen. So there is no additional consoles to jump through. Also, PCAP retrieval is right there as well so if additional forensic analysis is needed that service is available on the same UI as well.
Metron Extensibility