THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Log into $HOST_WITH_ENRICHMENT_TAG as root
- WE need to d modify
/usr/metron/$METRON_RELEASE/config/zookeeper/sensors/squid.json.
However, since the configuration in zookeeper may have be out of sync with the configuration on disk, we must make sure they are in sync by downloading the zookeeper configuration first:- /usr/metron/$METRON_RELEASE/bin/zk_load_configs.sh -m PULL -z $ZOOKEEPER_HOST:2181 -f -o /usr/metron/$METRON_RELEASE/config/zookeeper
...
- Validate that the
...
...
- the enrichment config for squid exists
- cat /usr/metron/$METRON_RELEASE/config/zookeeper/
...
- enrichments/squid.json
...
- Edit the configuration. In
/usr/metron/$METRON_RELEASE/config/zookeeper/
...
enrichments/squid.json
...
- and add
...
- the following to the triageConfig section to the threat intel section
"threatIntel" : {
"fieldMap" : {
"hbaseThreatIntel" : [ "domain_without_subdomains" ]
},
"fieldToTypeMap" : {
"domain_without_subdomains" : [ "zeusList" ]
},
"config" : { },
"triageConfig" : {
"riskLevelRules" : {
"exists(threatintels.hbaseThreatIntel.
...
domain_without_subdomains.zeusList)" : 5
, "not(ENDS_WITH(
...
domain_without_subdomains, '.com') or ENDS_WITH(
...
domain_without_subdomains, '.net'))" : 10
...
}
,"aggregator" : "MAX"
,"aggregationConfig" : { }
}
}
}
ensure that the
aggregator
field indicatesMAX
After modifying the configuration, we can push the configuration back to zookeeper and have the enrichment topology pick it up with live data
...
by running the following
/usr/metron/$METRON_RELEASE/bin/zk_load_configs.sh -m PUSH -z $ZOOKEEPER_HOST:2181 -i /usr/metron/$METRON_RELEASE/config/zookeeper
Now, if we reload the data from the part 4 via
tail /var/log/squid/access.log | /usr/hdp/current/kafka-broker/bin/kafka-console-producer.sh --broker-list $KAFKA_HOST:6667 --topic squid
...
Step 4: View Triaged/Scored Alerts
...