Table of Contents

In previous article of the sereies, Enriching Telemetry Events, we walked through how to enrich a domain element of a given telemetry event with WhoIs data like home country, company associated with domain, etc. In this article, we will enrich with a special type of data called threat intel feeds. When a given telemetry event matches data in a threat Intel feed, an alert is generated.

...

1. Log into the $HOST_WITH_ENRICHMENT_TAG as root
2. Run the loader

        /usr/metron/$METRON_RELEASE/bin/flatfile_loader.sh -n enrichment_config.json -i domainblocklist.csv -t threatintel -c t -e extractor_config.json

3. After this, the threat intel data will be loaded in Hbase and a Zookeeper mapping will be established. The data will be populated into Hbase table called threatintel. To verify that the logs were properly ingested into Hbase run the following command: 

       hbase shell
       scan 'threatintel'

4. You should see the table bulk loaded with data from the CSV file. Now check if Zookeeper enrichment tag was properly populated:  

      /usr/metron/$METRON_RELEASE/bin/zk_load_configs.sh -m DUMP -z $ZOOKEEPER_HOST:2181

5. You should see a config for the squid sensor something like the following: 
   1. Image Added
6. Generate some data by using the squid client to execute http requests (do this about 20 times)

       squidclient http://www.actdhaka.com

...