Configure Element-to-Threat Intelligence Feed Mapping
You now need to configure what element of a tuple should be enriched with what enrichment type. This configuration is stored in ZooKeeper.
-
Log in as root user to the host that has Metron installed.
sudo -s $METRON_HOME
-
Copy and paste the following into a file called
threatintel_config_temp.json
at $METRON_HOME/config.{ "zkQuorum" : "localhost:2181" ,"sensorToFieldList" : { "squid" : { "type" : "THREAT_INTEL" ,"fieldToEnrichmentTypes" : { "domand_without_subdomains" : [ "zeusList" ] } } } }
This step configures which element of a tuple to cross-reference with which threat intelligence feed. This configuration is stored in ZooKeeper.You must specify the following:- The ZooKeeper quorum which holds the cluster configuration
- The mapping between the fields in the enriched documents and the enrichment types.
This configuration allows the ingestion tools to update ZooKeeper post-ingestion so that the enrichment topology can take advantage immediately of the new type. -
Remove any non-ASCII invisible characters that might have been included if you
copy and pasted:
iconv -c -f utf-8 -t ascii threat_intel_config_temp.json -o threat_intel_config.json