Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

Configure a TAXII Extractor Configuration File

After you fetch the latest OpenTAXII feeds to the OpenTAXII server, you must create an extractor configuration file to bulk load the threat intelligence enrichment store into HBase.

  1. Log in as root to the host on which Metron is installed.
    sudo -s $METRON_HOME
  2. Determine the schema of the threat intelligence source.
    The schema of our mock enrichment source is domain|owner|registeredCountry|registeredTimestamp.
  3. Create an extractor configuration file called threatintel_extractor_config_temp.json at $METRON_HOME/config and populate it with the threat intelligence source schema:
    {
    "config" : {
        "columns" : {
            "ip" : 0
        }
        ,"indicator_column" : "ip"
        ,"type" : "malicious_ip"
        ,"separator" : ","
      }
      ,"extractor" : "STIX"
    } 
    
  4. Remove any non-ASCII invisible characters that might have been included if you copy and pasted:
    iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o threatintel_extractor_config.json