You use the extractor configuration file to bulk load the threat intelligence
enrichment store into HBase.
-
Log in as root to the host on which Metron is installed.
-
Determine the schema of the threat intelligence source.
The schema of our mock enrichment source is:
-
Create an extractor configuration file called
threatintel_extractor_config_temp.json
at
$METRON_HOME/config
and populate it with the threat intelligence
source schema:
{
"config" : {
"columns" : {
"domain" : 0
,"source" : 1
}
,"indicator_column" : "domain"
,"type" : "zeusList"
,"separator" : ","
}
,"extractor" : "CSV"
}
-
Remove any non-ASCII invisible characters that might have been included if you
copy and pasted:
iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o
threatintel_extractor_config.json