Configure TAXII Extractor Configuration File

After you fetch the latest Hail a TAXII feeds to the TAXII server, you must create an extractor configuration file to bulk load the threat intelligence enrichment store into HBase.

  1. Log in as root to the host on which Metron is installed.
    sudo -s $METRON_HOME
  2. Determine the schema of the threat intelligence source.
    The schema of our mock enrichment source is domain|owner|registeredCountry|registeredTimestamp.
  3. Create an extractor configuration file called threatintel_extractor_config_temp.json at $METRON_HOME/config and populate it with the threat intelligence source schema:
    "config" : {
        "columns" : {
            "ip" : 0
        ,"indicator_column" : "ip"
        ,"type" : "malicious_ip"
        ,"separator" : ","
      ,"extractor" : "STIX"
  4. Remove any non-ASCII invisible characters that might have been included if you copy and pasted:
    iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o threatintel_extractor_config.json