Sensor Configuration
You can use the sensor-specific configuration to configure the individual enrichments and threat intelligence enrichments for a given sensor type (for example, Snort). The sensor configuration format is a JSON object stored in Apache ZooKeeper.
The sensor enrichment configuration uses the following fields:
- fieldToTypeMap
- In the case of a simple HBase enrichment (a key/value lookup), the mapping between
fields and the enrichment types associated with those fields must be known. This
enrichment type is used as part of the HBase key. Note: applies to hbaseEnrichment
only.
| `"fieldToTypeMap" : { "ip_src_addr" : [ "asset_enrichment" ] }` |
- fieldMap
- The map of enrichment bolts names to configuration handlers which know how to divide
the message. The simplest of which is just a list of fields. More complex examples
would be the Stellar enrichment which provides tellar statements. Each field listed in
the array arg is sent to the enrichment referenced in the key. Cardinality of fields
to enrichments is many-to-many.
| `"fieldMap": {"hbaseEnrichment": ["ip_src_addr","ip_dst_addr"]}` |
- config
- The general configuration for the enrichment.
The `config` map is intended
to house enrichment specific configuration. For instance, for
hbaseEnrichment
, the mappings between the enrichment types to the column
families is specified.
The
fieldMap
contents are of interest because they contain the routing and
configuration information for the enrichments. When we say 'routing', we mean how the
messages get split up and sent to the enrichment adapter bolts.
The simplest, by far, is just providing a simple list as in
"fieldMap": { "geo": [ "ip_src_addr", "ip_dst_addr" ], "host": [ "ip_src_addr", "ip_dst_addr" ], "hbaseEnrichment": [ "ip_src_addr", "ip_dst_addr" ] }
Based on this sample config,
both ip_src_addr
and ip_dst_addr
will go to the `geo`,
`host`, and `hbaseEnrichment` adapter bolts.