[jira] [Commented] (METRON-93) Generalize the HBase threat intel infrastructure to support enrichments

Mon, 04 Apr 2016 06:32:25 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-93?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15224117#comment-15224117
 ] 

ASF GitHub Bot commented on METRON-93:
--------------------------------------

Github user cestella commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/66#discussion_r58375098
  
    --- Diff: 
metron-streaming/Metron-Common/src/test/java/org/apache/metron/enrichment/EnrichmentConfigTest.java
 ---
    @@ -0,0 +1,253 @@
    +package org.apache.metron.enrichment;
    +
    +import org.apache.metron.Constants;
    +import org.apache.metron.domain.SourceConfig;
    +import org.apache.metron.utils.JSONUtils;
    +import org.junit.Assert;
    +import org.junit.Test;
    +
    +import java.io.IOException;
    +import java.util.HashMap;
    +import java.util.List;
    +import java.util.Map;
    +
    +public class EnrichmentConfigTest {
    +  @Test
    +  public void testThreatIntel() throws Exception {
    +    /*
    +    {
    +      "index": "bro",
    --- End diff --
    
    Normally I'd agree, but those comments are there because multiline strings 
in java are lacking, so if changes to the JSON structure happen, the changes 
generally happen to the comment and then the string is replaced, letting the 
IDE handle escaping quotes.  One thing that we could consider is incorporating 
something like https://github.com/benelog/multiline, which i've seen in other 
projects for these kinds of situations. 


> Generalize the HBase threat intel infrastructure to support enrichments
> -----------------------------------------------------------------------
>
>                 Key: METRON-93
>                 URL: https://issues.apache.org/jira/browse/METRON-93
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Casey Stella
>            Assignee: Casey Stella
>   Original Estimate: 504h
>  Remaining Estimate: 504h
>
> As it stands, the threat intel infrastructure is awkward.  Namely, different 
> threat intelligence sources must be pushed into separate hbase tables 
> (malicious_ips separate form malicious_hosts, for instance).  We'd rather 
> have one table where the type is brought into the rowkey.  Since this 
> infrastructure is generalized, also add a simple hbase enrichment adapter.
> Furthermore, the configuration for a new enrichment should be added to 
> zookeeper as part of the data load.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to