Mapping Fields to HBase Threat Intel by Using the CLI
Defining the threat intelligence topology is very similar to defining the transformation and enrichment topology.
Edit the new data source threat intelligence configuration at
$METRON_HOME/config/zookeeper/enrichments/$DATASOURCEto associate theip_src_addrwith the user enrichment.For example:
{ "index" : "squid", "batchSize" : 1, "enrichment" : { "fieldMap" : { "hbaseEnrichment" : [ "ip_src_addr" ] }, "fieldToTypeMap" : { "ip_src_addr" : [ "whois" ] }, "config" : { } }, "threatIntel" : { "fieldMap" : { }, "fieldToTypeMap" : { }, "config" : { }, "triageConfig" : { "riskLevelRules" : { }, "aggregator" : "MAX", "aggregationConfig" : { } } }, "configuration" : { } }Push this configuration to ZooKeeper:
$METRON_HOME/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/zookeeper
After you have finished enriching the telemetry events, ensure that the enriched data is displaying on the Metron dashboard. For instructions on adding a new telemetry data source to the Metron Dashboard, see Adding a New Data Source.