Configuring Element-to-Threat Intel Feed Mapping
We now need to configure what element of a tuple should be enriched with what enrichment type.
This configuration is stored in ZooKeeper.
Log in as root user to the host that has Metron installed.
sudo -s $METRON_HOME
Copy and paste the following into a file called
enrichment_config_temp.json
at$METRON_HOME/config
.{ "zkQuorum": "ip-10-0-163-99.us-west-1.compute.internal:2181", "sensorToFieldList":{ "squid":{ "type": "THREAT_INTEL", "fieldToEnrichmentTypes":{ "domain_without_subdomains":["malicious_ip"]} } } }
You must specify the following:
The zookeeper quorum which holds the cluster configuration
The mapping between the fields in the enriched documents and the enrichment types.
This configuration allows the ingestion tools to update ZooKeeper post-ingestion so that the enrichment topology can take advantage immediately of the new type.
Remove any non-ASCII invisible characters that might have been included if you copy and pasted:
iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json