Administration
Also available as:
PDF
loading table of contents...

Running the Threat Intel Loader

After you have defined the threat intelligence source, threat intelligence extractor, and threat intelligence mapping configuration, run the loader to move the data from the threat intelligence source to the Metron threat intelligence store and to store the enrichment configuration in ZooKeeper.

  1. Log in to $HOST_WITH_ENRICHMENT_TAG as root.

  2. Run the loader:

    $METRON_HOME/bin/flatfile_loader.sh -n enrichment_config.json -i domainblocklist.csv -t threatintel -c t -e extractor_config.json

    This command adds the threat intelligence data into HBase and establishes a ZooKeeper mapping. The data is extracted using the extractor and configuration defined in the extractor_config.json file and populated into an HBase table called threatintel.

  3. Verify that the logs were properly ingested into HBase:

    hbase shell
    scan 'threatintel'

    You should see a configuration for the sensor that looks something like the following:

    Figure 3.16. Threat Intel Configuration


  4. Generate some data to populate the Metron Dashboard.