Mapping Fields to HBase Threat Intel by Using the CLI
Defining the threat intelligence topology is very similar to defining the transformation and enrichment topology.
Edit the new data source threat intelligence configuration at
$METRON_HOME/config/zookeeper/enrichments/$DATASOURCE
to associate theip_src_addr
with the user enrichment.For example:
{ "index" : "squid", "batchSize" : 1, "enrichment" : { "fieldMap" : { "hbaseEnrichment" : [ "ip_src_addr" ] }, "fieldToTypeMap" : { "ip_src_addr" : [ "whois" ] }, "config" : { } }, "threatIntel" : { "fieldMap" : { }, "fieldToTypeMap" : { }, "config" : { }, "triageConfig" : { "riskLevelRules" : { }, "aggregator" : "MAX", "aggregationConfig" : { } } }, "configuration" : { } }
Push this configuration to ZooKeeper:
$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/zookeeper
After you have finished enriching the telemetry events, ensure that the enriched data is displaying on the Metron dashboard. For instructions on adding a new telemetry data source to the Metron Dashboard, see Adding a New Data Source.