Defining the threat intelligence topology is very similar to defining the
transformation and enrichment topology.
- Edit the new data source threat intelligence configuration at
$METRON_HOME/config/zookeeper/enrichments/$DATASOURCE
to associate
the ip_src_addr
with the user enrichment.
For example:
{
"index" : "squid",
"batchSize" : 1,
"enrichment" : {
"fieldMap" : {
"hbaseEnrichment" : [ "ip_src_addr" ]
},
"fieldToTypeMap" : {
"ip_src_addr" : [ "whois" ]
},
"config" : { }
},
"threatIntel" : {
"fieldMap" : { },
"fieldToTypeMap" : { },
"config" : { },
"triageConfig" : {
"riskLevelRules" : { },
"aggregator" : "MAX",
"aggregationConfig" : { }
}
},
"configuration" : { }
}
- Push this configuration to ZooKeeper:
$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/zookeeper
After you have finished enriching the telemetry events, ensure that the enriched data is
displaying on the Metron dashboard.