Run Book - Technical Preview
Also available as:
PDF

Configuring Element-to-Threat Intel Feed Mapping

We now need to configure what element of a tuple should be enriched with what enrichment type.

This configuration is stored in ZooKeeper.

  1. Log in as root user to the host that has Metron installed.

    sudo -s $METRON_HOME
  2. Copy and paste the following into a file called enrichment_config_temp.json at $METRON_HOME/config.

    {
    "zkQuorum": "ip-10-0-163-99.us-west-1.compute.internal:2181", "sensorToFieldList":{
      "squid":{
        "type": "THREAT_INTEL", "fieldToEnrichmentTypes":{
        "domain_without_subdomains":["malicious_ip"]}
        }
      }
    }

    You must specify the following:

    • The zookeeper quorum which holds the cluster configuration

    • The mapping between the fields in the enriched documents and the enrichment types.

    This configuration allows the ingestion tools to update ZooKeeper post-ingestion so that the enrichment topology can take advantage immediately of the new type.

  3. Remove any non-ASCII invisible characters that might have been included if you copy and pasted:

    iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json