Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

Configure a CSV Extractor Configuration File

You use the extractor configuration file to bulk load the threat intelligence enrichment store into HBase.

  1. Log in as root to the host on which Metron is installed.
    sudo -s $METRON_HOME
  2. Determine the schema of the threat intelligence source.
    The schema of our mock enrichment source is:
    domain | source
  3. Create an extractor configuration file called threatintel_extractor_config_temp.json at $METRON_HOME/config and populate it with the threat intelligence source schema:
    {
    "config" : {
        "columns" : {
            "domain" : 0
            ,"source" : 1
        }
        ,"indicator_column" : "domain"
        ,"type" : "zeusList"
        ,"separator" : ","
      }
      ,"extractor" : "CSV"
    } 
    
  4. Remove any non-ASCII invisible characters that might have been included if you copy and pasted:
    iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o threatintel_extractor_config.json