Hi Michael, I'd say, it'd make sense to expose the mandatory extractor JSON configuration elements as input fields in the UI, as well as the mandatory command line arguments of the flatfile uploader. A text area would serve as the input data field.
To answer your question: This could then be used for any enrichment upload scenario. However, for the black/whitelist scenario it would also be important to have the capability to delete single entries. At the moment I'm doing this with a combination of using dedicated HBase tables and/or column families and/or the HBase TTL, and that's a tedious process. Scripting/Automating this process is one option, having a GUI for "black/whitelisting" (or more general for all kinds of enrichments) could help operators, that are not familiar with HBase or are not comfortable with a command line interface or are simply lazy. In addition, I think this will accelerate the process of onboarding new enrichment sources and to check if the enrichment is actually useful and finally use it, even for those who are not part of any of the above groups of people. Best, Stefan Am Do., 20. Dez. 2018 um 15:31 Uhr schrieb Michael Miklavcic < [email protected]>: > Would you see this utilized exclusively for test purposes, or should we > look at this as a general feature req to expose our enrichment loading in > the UI? To that end, does it make sense to make this broader than > whitelists and blacklists? > > On Thu, Dec 20, 2018 at 2:30 AM Stefan Kupstaitis-Dunkler < > [email protected]> wrote: > >> Dear Metron community, >> >> I think it would be useful to have a graphical interface in Metron to >> manage whitelists and blacklists. This is especially useful for lists that >> are small (but not small enough for the enrichment config), that might >> change rather often and for testing purposes. >> >> The existing process of uploading lists as an enrichment source to HBase >> is wonderful (and absolutely required) for automation and for larger lists, >> but security operators often want to manage smaller lists themselves in a >> more appealing interface - especially if it's just about adding or removing >> a few entries from the list at a time. >> >> What do you think? >> Would this be an appropriate addition (feature request) to the platform? >> >> Best, >> Stefan >> >>
