Configure Mapping for the Intelligence Feed
This step configures which element of a tuple to cross-reference with which threat intelligence feed. This configuration is stored in ZooKeeper.
On the host with Metron installed, log in as root.
Cut and paste the following file into a file called
enrichment_config_temp.json
":{ "zkQuorum" : "$ZOOKEEPER_HOST:2181" ,"sensorToFieldList" : { "$DATASOURCE" : { "type" : "THREAT_INTEL" ,"fieldToEnrichmentTypes" : { "domain_without_subdomains" : [ "zeusList" ] } } } }
Remove any non-ASCII invisible characters in the pasted syntax in Step 2:
iconv -c -f utf-8 -t ascii enrichment_config_temp.json -o enrichment_config.json