Just wondering if Metron has a feature to email alerts based on rules that a user defines.
Rule A: Email the user [EMAIL PROTECTED] whenever ip_src_addr=100.2.10.*
Rule B: Email the user [EMAIL PROTECTED] whenever payload contains "critical"
If not, does anyone have any recommendations on where to code these rules in the Metron stack that uses attributes from the GROK parser?
Ahmed Shah (PMP, M. Eng.)
Cybersecurity Analyst & Developer
GCR - Cybersecurity Operations Center
Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php>