Sensor Configuration
You can use the sensor-specific configuration to configure the individual enrichments and threat intelligence enrichments for a given sensor type (for example, Snort). The sensor configuration format is a JSON object stored in Apache ZooKeeper.
The sensor enrichment configuration uses the following fields:
fieldToTypeMap
- In the case of a simple HBase enrichment (a key/value lookup), the mapping between fields and the enrichment types associated with those fields must be known. This enrichment type is used as part of the HBase key. Note: applies to hbaseEnrichment only. | `"fieldToTypeMap" : { "ip_src_addr" : [ "asset_enrichment" ] }` |fieldMap
- The map of enrichment bolts names to configuration handlers which know how to divide the message. The simplest of which is just a list of fields. More complex examples would be the Stellar enrichment which provides Stellar statements. Each field listed in the array arg is sent to the enrichment referenced in the key. Cardinality of fields to enrichments is many-to-many. | `"fieldMap": {"hbaseEnrichment": ["ip_src_addr","ip_dst_addr"]}` |config
- The general configuration for the enrichment.
The config
map is intended to house enrichment specific
configuration. For instance, for the hbaseEnrichment
, the mappings
between the enrichment types to the column families is specified.
The fieldMap
contents are of interest because they contain the
routing and configuration information for the enrichments. When we say 'routing', we mean
how the messages get split up and sent to the enrichment adapter bolts.
The simplest, by far, is just providing a simple list as in:
"fieldMap": { "geo": [ "ip_src_addr", "ip_dst_addr" ], "host": [ "ip_src_addr", "ip_dst_addr" ], "hbaseEnrichment": [ "ip_src_addr", "ip_dst_addr" ] }
Based on this sample config, both ip_src_addr
and
ip_dst_addr
will go to the geo
,
host
, and hbaseEnrichment
adapter bolts.