Hortonworks Cybersecurity Platform
Also available as:
loading table of contents...

Configure Element-to-Threat Intelligence Feed Mapping

You now need to configure what element of a tuple should be enriched with what enrichment type. This configuration is stored in ZooKeeper.

  1. Log in as root user to the host that has Metron installed.
    sudo -s $METRON_HOME
  2. Copy and paste the following into a file called threatintel_config_temp.json at $METRON_HOME/config.
      "zkQuorum" : "localhost:2181"
     ,"sensorToFieldList" : {
        "squid" : {
               "type" : "THREAT_INTEL"
              ,"fieldToEnrichmentTypes" : {
                 "domand_without_subdomains" : [ "zeusList" ]
    This step configures which element of a tuple to cross-reference with which threat intelligence feed. This configuration is stored in ZooKeeper.
    You must specify the following:
    • The ZooKeeper quorum which holds the cluster configuration
    • The mapping between the fields in the enriched documents and the enrichment types.
    This configuration allows the ingestion tools to update ZooKeeper post-ingestion so that the enrichment topology can take advantage immediately of the new type.
  3. Remove any non-ASCII invisible characters that might have been included if you copy and pasted:
    iconv -c -f utf-8 -t ascii threat_intel_config_temp.json -o threat_intel_config.json