Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

Configure Element-to-Threat Intelligence Feed Mapping

You now need to configure what element of a tuple should be enriched with what enrichment type. This configuration is stored in ZooKeeper.

  1. Log in as root user to the host that has Metron installed.
    sudo -s $METRON_HOME
  2. Copy and paste the following into a file called threatintel_config_temp.json at $METRON_HOME/config.
    {
      "zkQuorum" : "localhost:2181"
     ,"sensorToFieldList" : {
        "squid" : {
               "type" : "THREAT_INTEL"
              ,"fieldToEnrichmentTypes" : {
                 "domand_without_subdomains" : [ "zeusList" ]
                                          }
                  }
                            }
    }
    The threatintel_config_temp.json file causes HCP to look up the value of the field in the HBase enrichment. If the field is found, HCP adds the HBase field values as new enrichments to the event.
    You must specify the following:
    • The ZooKeeper quorum which holds the cluster configuration
    • The mapping between the fields in the enriched documents and the enrichment types.
    This configuration allows the ingestion tools to update ZooKeeper post-ingestion so that the enrichment topology can take advantage immediately of the new type.
  3. Remove any non-ASCII invisible characters that might have been included if you copy and pasted:
    iconv -c -f utf-8 -t ascii threatintel_config_temp.json -o threatintel_config.json