Hortonworks Cybersecurity Platform
Also available as:
PDF
loading table of contents...

Map Fields to HBase Threat Intel by Using the CLI

Defining the threat intelligence topology is very similar to defining the transformation and enrichment topology.

  1. Edit the new data source threat intelligence configuration at $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE to associate the ip_src_addr with the user enrichment.
    For example:
    {
      "index" : "squid",
      "batchSize" : 1,
      "enrichment" : {
        "fieldMap" : {
          "hbaseEnrichment" : [ "ip_src_addr" ]
        },
        "fieldToTypeMap" : {
          "ip_src_addr" : [ "whois" ]
        },
        "config" : { }
      },
      "threatIntel" : {
        "fieldMap" : { },
        "fieldToTypeMap" : { },
        "config" : { },
        "triageConfig" : {
          "riskLevelRules" : { },
          "aggregator" : "MAX",
          "aggregationConfig" : { }
        }
      },
      "configuration" : { }
    }
  2. Push this configuration to ZooKeeper:
    $METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/zookeeper

After you have finished enriching the telemetry events, ensure that the enriched data is displaying on the Metron dashboard.