Administration
Also available as:
PDF
loading table of contents...

Prerequisites

Before you add a new telemetry device, you must perform the following actions:

  • Install HDP and HDF, and then install HCP.

    For information about installing HCP, see the HCP Installation Guide.

  • Ensure that the new sensor is installed and set up.

  • Ensure that NiFi or another telemetry data collection tool can feed the telemetry data source events into a Kafka topic.

  • Determine your requirements.

    For example, you might decide that you need to meet the following requirements:

    • Proxy events from the data source logs must be ingested in real-time.

    • Proxy logs must be parsed into a standardized JSON structure suitable for analysis by Metron.

    • In real-time, new data source proxy events must be enriched so that the domain names contain the IP information.

    • In real-time, the IP within the proxy event must be checked against for threat intelligence feeds.

    • If there is a threat intelligence hit, an alert must be raised.

    • The SOC analyst must be able to view new telemetry events and alerts from the new data source.

  • Set HCP values

    When you install HCP, you will set up several hosts. You will need the locations of these hosts, along with port numbers, and the Metron version. These values are listed below.

    • KAFKA_HOST = The host where a Kafka broker is installed.

    • ZOOKEEPER_HOST = The host where a ZooKeeper server is installed.

    • PROBE_HOST = The host where your sensor, probes are installed. If don't have any sensors installed, pick the host where a Storm supervisor is running.

    • NIFI_HOST = Host where you will install NIFI.

    • HOST_WITH_ENRICHMENT_TAG = The host in your inventory hosts file that you put under the group "enrichment."

    • SEARCH_HOST = The host where you have Elastic or Solr running. This is the host in your inventory hosts file that you put under the group "search". Pick one of the search hosts.

    • SEARCH_HOST_PORT = The port of the search host where indexing is configured. (For example, 9300).

    • METRON_UI_HOST = The host where your Metron UI web application is running. This is the host in your inventory hosts file that you put under the group "web."

    • METRON_VERSION = The release of the Metron binaries you are working with. (For example, HCP-1.1.0.0)