Map Fields to HBase Threat Intel by Using the Management Module
Defining the threat intelligence topology is very similar to defining the transformation and enrichment topology.
- Select the new sensor from the list of sensors on the main window.
- Click the pencil icon in the list of tool icons for the new sensor.
The Management module displays the sensor panel for the new sensor.
In the Schema box, click (expand window button).
The Management module displays a second panel and populates the panel with message, field, and value information.The Sample field, at the top of the panel, displays a parsed version of a sample message from the sensor. The Management module will test your threat intelligence against these parsed messages.You can use the right and left arrow buttons in the Sample field to view the parsed version of each sample message available from the sensor.
- You can apply threat intelligence to an existing field or create a new field. Click the (edit
icon) next to a field to apply transformations to that field. Or click (plus sign) at the bottom of the Schema panel to create new
Typically users choose to create and transform a new field, rather than transforming an existing field.For both options, the Management module expands the panel with a dialog box containing fields in which you can enter field information.
- In the dialog box, enter the name of the new field in the NAME field, choose an input field from the INPUT FIELD box, and choose your transformation from the THREAT INTEL field .
- Click SAVE to save your changes.
- You can suppress fields from the Index by clicking (suppress icon).
- Click SAVE to save the changed information.
The Management module updates the Schema field with the number of changes applied to the sensor.
After you have finished enriching the telemetry events, ensure that the enriched data is displaying on the Metron dashboard.