Uploading the Threat Triage Configuration to ZooKeeper
To apply triage configuration, you must modify the configuration for the new sensor in the enrichment topology.
Log in as root user to the host on which Metron is installed.
Modify
$METRON_HOME/config/zookeeper/sensors/$DATASOURCE.json
to match the configuration on disk:Because the configuration in ZooKeeper might be out of sync with the configuration on disk, ensure that they are in sync by downloading the ZooKeeper configuration first:
$METRON_HOME/bin/zk_load_configs.sh -m PULL -z $ZOOKEEPER_HOST:2181 -f -o $METRON_HOME/config/zookeeper
Validate that the enrichment configuration for the data source exists:
cat $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE.json
In the
$METRON_HOME/config/zookeeper/enrichments/$DATASOURCE.json
file, add the following to thetriageConfig
section in the threat intelligence section:"threatIntel" : { "fieldMap" : { "hbaseThreatIntel" : [ "domain_without_subdomains" ] }, "fieldToTypeMap" : { "domain_without_subdomains" : [ "zeusList" ] }, "config" : { }, "triageConfig" : { "riskLevelRules" : { "exists(threatintels.hbaseThreatIntel.domain_without_subdomains.zeusList)" : 5 , "not(ENDS_WITH(domain_without_subdomains, '.com') or ENDS_WITH(domain_without_subdomains, '.net'))" : 10 } ,"aggregator" : "MAX" ,"aggregationConfig" : { } } } }
Ensure that the aggregator field indicates MAX.
Push the configuration back to ZooKeeper:
$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/config/zookeeper