Running the Threat Intel Loader
After you have defined the threat intelligence source, threat intelligence extractor, and threat intelligence mapping configuration, run the loader to move the data from the threat intelligence source to the Metron threat intelligence store and to store the enrichment configuration in ZooKeeper.
Log in to $HOST_WITH_ENRICHMENT_TAG as root.
Run the loader:
$METRON_HOME/bin/flatfile_loader.sh -n enrichment_config.json -i domainblocklist.csv -t threatintel -c t -e extractor_config.json
This command adds the threat intelligence data into HBase and establishes a ZooKeeper mapping. The data is extracted using the extractor and configuration defined in the
extractor_config.jsonfile and populated into an HBase table calledthreatintel.Verify that the logs were properly ingested into HBase:
hbase shell scan 'threatintel'
You should see a configuration for the sensor that looks something like the following:
Generate some data to populate the Metron Dashboard.
