Hi, I've deployed Metron alongside the current Ambari version using the Metron HDP3.1 support provided by a branch in the GitHub project.
Fast forward, I'm testing Metron:
1. I've deployed a custom CSV parser with 3 fields ( 2 dummy fields and a
IP field). The parser works fine.
2. Created a custom template for my sensor with the required fields
(guid, ip_src_addr, ip_dst_addr, ...) for Elasticsearch for the pattern
indexes. Works fine, even Metron can recognize the indexes.
3. Created a custom Threat Intel source (extractor enrichment config
JSON files, and the CSV content file). Also works fine, I've tested it using
Stellar with ENRICHMENT_GET function, returning the content I wrote in the CSV
file.
4. Configured Threat Triage for the sensor with the rule "ip_src_addr ==
'<an IP I specified in the CSV file>'" and the score of 5. Doesn't work... The
data in the Elasticsearch's index is still being issued without the threat
score.
The enrichment config of the threat intel source:
{
"zkQuorum" : "XXXXXXXX:XXXX",
"sensorToFieldList": {
"xcsvtest": {
"type": "THREAT_INTEL",
"fieldToEnrichmentTypes": {
"ip_src_addr" : ["testList"]
}
}
}
}
My enrichment configuration:
{
"enrichment": {
"fieldMap": {
"geo": [
"ip_src_addr"
]
},
"fieldToTypeMap": {},
"config": {}
},
"threatIntel": {
"fieldMap": {},
"fieldToTypeMap": {
"ip_src_addr": [
"testList"
]
},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "All_threat",
"comment": "",
"rule": "ip_src_addr == '8.8.8.8' ",
"reason": null,
"score": "5"
}
],
"aggregator": "MAX",
"aggregationConfig": {}
}
},
"configuration": {}
}
Appreciate any help.
Thanks
