Hortonworks Cybersecurity Platform
Also available as:

OPTIONAL: Create a Mock Threat Intel Feed Source

For this example, we use a Zeus malware tracker list located here: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist.

Metron is designed to work with STIX/Taxii threat feeds, but can also be bulk loaded with threat data from a CSV file. In this example, we will explore the CSV example. The same loader framework that is used for enrichment here is used for threat intelligence. Similar to enrichments, we need to set up a data.csv file, the extractor config JSON, and the enrichment config JSON.

  1. Log into the $HOST_WITH_ENRICHMENT_TAG as root.
  2. Copy the contents from the Zeus malware tracker list link to a file called domainblocklist.csv.
    curl https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist | grep -v "^#" | grep -v "^$" | grep -v "^https" | awk '{print $1",abuse.ch"}' > domainblocklist.csv