Hortonworks Cybersecurity Platform
Also available as:
PDF
loading table of contents...

Configure Mapping for the Intelligence Feed

After you configure an extractor configuration file, you must configure which element of a tuple to cross-reference with which threat intelligence feed. This configuration is stored in ZooKeeper.

  1. On the host with Metron installed, log in as root.
  2. Cut and paste the following file into a file called enrichment_config_temp.json:
    {
         "zkQuorum" : "$ZOOKEEPER_HOST:2181"
        ,"sensorToFieldList" : {
         "$DATASOURCE" : {
              "type" : "THREAT_INTEL"
             ,"fieldToEnrichmentTypes" : {
                   "domain_without_subdomains" : [ "zeusList" ]
              }
         }
       }
    }
    
  3. Remove any non-ASCII invisible characters in the pasted syntax in Step 2:
    iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json