Configure an Extractor Configuration File
You use the extractor configuration file to bulk load the enrichment store into HBase.
-
Log in as root to the host on which Metron is installed.
sudo -s $METRON_HOME
-
Determine the schema of the threat intelligence source.
The schema of our mock enrichment source is domain|owner|registeredCountry|registeredTimestamp.
-
Create an extractor configuration file called
threatintel_extractor_config_temp.json
at$METRON_HOME/config
and populate it with the threat intelligence source schema:{ "config" : { "columns" : { "domain" : 0 ,"source" : 1 } ,"indicator_column" : "domain" ,"type" : "zeusList" ,"separator" : "," } ,"extractor" : "CSV" }
-
Remove any non-ASCII invisible characters that might have been included if you
copy and pasted:
iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o threatintel_extractor_config.json