Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

Map Fields to HBase Enrichments

Each of the parser outputs is added or modified in the Schema field.

Now that you have data flowing into the HBase table, you need to ensure that the enrichment topology can be used to enrich the data flowing past. You can refine the parser output through transformations, enrichments, and threat intelligence.

  1. Select the new sensor from the list of sensors on the main window.
  2. Click the pencil icon in the list of tool icons for the new sensor.
    The Management Module displays the sensor panel for the new sensor.
  3. In the Schema box, click (expand window button).
    The Management user interface displays a second panel and populates the panel with message, field, and value information.
    The Sample field, at the top of the panel, displays a parsed version of a sample message from the sensor. The Management UI will test your transformations against these parsed messages.
    You can use the right and left arrow buttons in the Sample field to view the parsed version of each sample message available from the sensor.
  4. You can apply transformations to an existing field or create a new field. Click the (edit icon) next to a field to apply transformations to that field. Or click (plus sign) at the bottom of the Schema panel to create new fields.
    Typically users store transformations in a new field rather than overriding existing fields.
    For both options, the Management UI expands the panel with a dialog box containing fields in which you can enter field information.


  5. In the dialog box, enter the name of the new field in the NAME field, choose an input field from the INPUT FIELD box, and choose your transformation from the TRANSFORMATIONS field or enrichment from the ENRICHMENTS field.
    For example, to create a new field showing the lower case version of the method field, do the following:
    1. Enter method-uppercase in the NAME field.
    2. Choose method from the INPUT FIELD.
    3. Choose TO_UPPER in the TRANSFORMATIONS field.
      Your new schema information panel should look like this:


  6. Click SAVE to save your changes.
  7. You can suppress fields from showing in the Index by clicking (suppress icon).
  8. Click SAVE to save the changed information.
    The Management UI updates the Schema field with the number of changes applied to the sensor.