Uploading the Threat Triage Configuration to ZooKeeper

To apply triage configuration, you must modify the configuration for the new sensor in the enrichment topology.

Log in as root user to the host on which Metron is installed.
Modify $METRON_HOME/config/zookeeper/sensors/$DATASOURCE.json to match the configuration on disk:
Because the configuration in ZooKeeper might be out of sync with the configuration on disk, ensure that they are in sync by downloading the ZooKeeper configuration first:
```
$METRON_HOME/bin/zk_load_configs.sh -m PULL -z $ZOOKEEPER_HOST:2181 -f -o $METRON_HOME/config/zookeeper
```
Validate that the enrichment configuration for the data source exists:
```
cat $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE.json
```

In the $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE.json file, add the following to the triageConfig section in the threat intelligence section:

"threatIntel" : {
    "fieldMap" : {
      "hbaseThreatIntel" : [ "domain_without_subdomains" ]
    },
    "fieldToTypeMap" : {
      "domain_without_subdomains" : [ "zeusList" ]
    },
    "config" : { },
    "triageConfig" : {
      "riskLevelRules" : {
         "exists(threatintels.hbaseThreatIntel.domain_without_subdomains.zeusList)" : 5
              , "not(ENDS_WITH(domain_without_subdomains, '.com') or ENDS_WITH(domain_without_subdomains, '.net'))" : 10
                           }
        ,"aggregator" : "MAX"
        ,"aggregationConfig" : { }
                      }
                  }
  }

Ensure that the aggregator field indicates MAX.

Push the configuration back to ZooKeeper:

$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/config/zookeeper

​Uploading the Threat Triage Configuration to ZooKeeper

Uploading the Threat Triage Configuration to ZooKeeper