After you fetch the latest OpenTAXII feeds to the OpenTAXII server, you must create an
extractor configuration file to bulk load the threat intelligence enrichment store into
HBase.
-
Log in as root to the host on which Metron is installed.
-
Determine the schema of the threat intelligence source.
The schema of our mock enrichment source is
domain|owner|registeredCountry|registeredTimestamp.
-
Create an extractor configuration file called
threatintel_extractor_config_temp.json
at
$METRON_HOME/config
and populate it with the threat intelligence
source schema:
{
"config" : {
"columns" : {
"ip" : 0
}
,"indicator_column" : "ip"
,"type" : "malicious_ip"
,"separator" : ","
}
,"extractor" : "STIX"
}
-
Remove any non-ASCII invisible characters that might have been included if you
copy and pasted:
iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o
threatintel_extractor_config.json