Hortonworks Docs » Hortonworks Cybersecurity Platform 1.8.0 » Runbook Enriching with Threat Intelligence Information
Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

OPTIONAL: Create a Mock CSV Threat Intel Feed Source

Similar to enrichments, we need to set up a data.csv file, the extractor config JSON, and the enrichment config JSON. For this example, we use a Zeus malware tracker list located here: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist.

Hortonworks Cybersecurity Platform (HCP) is designed to work with STIX/Taxii threat feeds, but can also be bulk loaded with threat data from a CSV file. In this example, we create a mock CSV enrichment source. If your production environment, you will want to use a genuine enrichment source.

  1. Log into the $HOST_WITH_ENRICHMENT_TAG as root.
  2. Copy the contents from the Zeus malware tracker list link to a file called domainblocklist.csv. 
    curl -o domainblocklist.txt https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
    Make sure you don't have an empty newline character as the last line of the CSV file, as that will result in a null pointer exception.
  3. Similarly to enrichment we will need to process this feed into a CSV so we can bulk load it into HBase: 
    cat domainblocklist.txt | grep -v "^#" | grep -v "^$" | grep -v "^https" | awk '{print $1",abuse.ch"}' > domainblocklist.csv
© 2012–2019, Hortonworks, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Hortonworks.com | Documentation | Support | Community