Also available as:

Adding the MaaS Stellar Function to the Sensor Configuration

After deploying a model, you need to add the Stellar function for MaaS to the configuration file for the sensor on which you want to run the model.

To do this, complete the following steps:

  1. Edit the sensor configuration at $METRON_HOME/config/zookeeper/parsers/$PARSER.json to include a new FieldTransformation to indicate a threat alert based on the model.

      "parserClassName": "org.apache.metron.parsers.GrokParser",
      "sensorTopic": "squid",
      "parserConfig": {
        "grokPath": "/patterns/squid",
        "patternLabel": "SQUID_DELIMITED",
        "timestampField": "timestamp"
      "fieldTransformations" : [
          "transformation" : "STELLAR"
        ,"output" : [ "full_hostname", "domain_without_subdomains", "is_malicious", "is_alert" ]
        ,"config" : {
          "full_hostname" : "URL_TO_HOST(url)"
          ,"domain_without_subdomains" : "DOMAIN_REMOVE_SUBDOMAINS(full_hostname)"
          ,"is_malicious" : "MAP_GET('is_malicious', MAAS_MODEL_APPLY(MAAS_GET_ENDPOINT('dga'), {'host' : domain_without_subdomains}))"
          ,"is_alert" : "if is_malicious == 'malicious' then 'true' else null"



    Enter 'STELLAR' to indicate this is a Stellar field transformation.


    The information the transformation will output. This typically contains full_host, domain_without_subdomains, is_malicious, and is_alert.


    The domain component of the "url" field.


    The domain of the "url" field without subdomains.


    The output of the "mock_dga" model as deployed earlier. In this case, it will be "malicious" or "legit", because those are the values that our model returns.


    Set to "true" if and only if the model indicates the hostname is malicious.

  2. Edit the sensor enrichment configuration at $METRON_HOME/config/zookeeper/parsers/PARSER.json to adjust the threat triage level of risk based on the model output:

      "index": "$PARSER_NAME",
      "batchSize": 1,
      "enrichment" : {
        "fieldMap": {}
      "threatIntel" : {
        "triageConfig" : {
          "riskLevelRules" : {
            "is_malicious == 'malicious'" : 100
          "aggregator" : "MAX"
  3. Upload the new configurations to $METRON_HOME/bin/ --mode PUSH -i $METRON_HOME/config/zookeeper -z node1:2181.

  4. If this is a new sensor and it does not have a Kafka topic associated with it, then we must create a new sensor topic in Kafka.

    /usr/hdp/current/kafka-broker/bin/ --zookeeper node1:2181 --create --topic $PARSER_NAME --partitions 1 --replication-factor 1