Administration
Also available as:
PDF
loading table of contents...

Uploading the Threat Triage Configuration to ZooKeeper

To apply this example triage configuration, you must modify the configuration for the new sensor in the enrichment topology.

  1. Log in as root user to the host on which Metron is installed.

  2. Modify $METRON_HOME/config/zookeeper/sensors/$DATASOURCE.json.

    Because the configuration in ZooKeeper might be out of sync with the configuration on disk, ensure that they are in sync by downloading the ZooKeeper configuration first:

    $METRON_HOME/bin/zk_load_configs.sh -m PULL -z $ZOOKEEPER_HOST:2181 -f -o $METRON_HOME/config/zookeeper
  3. Validate that the enrichment configuration for the data source exists:

    cat $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE.json
  4. In the $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE.json file, add the following to the triageConfig section in the threat intelligence section.

    For example:

    "threatIntel" : {
        "fieldMap" : {
          "hbaseThreatIntel" : [ "domain_without_subdomains" ]
        },
        "fieldToTypeMap" : {
          "domain_without_subdomains" : [ "zeusList" ]
        },
        "config" : { },
        "triageConfig" : {
          "riskLevelRules" : {
             "exists(threatintels.hbaseThreatIntel.domain_without_subdomains.zeusList)" : 5
                  , "not(ENDS_WITH(domain_without_subdomains, '.com') or ENDS_WITH(domain_without_subdomains, '.net'))" : 10
                               }
            ,"aggregator" : "MAX"
            ,"aggregationConfig" : { }
                          }
                      }
      }
  5. Ensure that the aggregator field indicates MAX.

  6. Push the configuration back to ZooKeeper:

    $METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/config/zookeeper