[jira] [Commented] (METRON-93) Generalize the HBase threat intel infrastructure to support enrichments

Mon, 04 Apr 2016 16:52:57 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-93?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15225314#comment-15225314
 ] 

ASF GitHub Bot commented on METRON-93:
--------------------------------------

Github user cestella commented on a diff in the pull request:

    https://github.com/apache/incubator-metron/pull/66#discussion_r58468314
  
    --- Diff: 
metron-streaming/Metron-Common/src/test/java/org/apache/metron/enrichment/EnrichmentConfigTest.java
 ---
    @@ -0,0 +1,253 @@
    +package org.apache.metron.enrichment;
    +
    +import org.apache.metron.Constants;
    +import org.apache.metron.domain.SourceConfig;
    +import org.apache.metron.utils.JSONUtils;
    +import org.junit.Assert;
    +import org.junit.Test;
    +
    +import java.io.IOException;
    +import java.util.HashMap;
    +import java.util.List;
    +import java.util.Map;
    +
    +public class EnrichmentConfigTest {
    +  @Test
    +  public void testThreatIntel() throws Exception {
    +    /*
    +    {
    +      "index": "bro",
    --- End diff --
    
    Ok, fair enough, I'm adding the multiline string utility for the unit tests 
and moving the config JSON to there, so we don't have to maintain them in 2 
different places.  This is a similar pattern as they use in DataFu for their 
unit tests.


> Generalize the HBase threat intel infrastructure to support enrichments
> -----------------------------------------------------------------------
>
>                 Key: METRON-93
>                 URL: https://issues.apache.org/jira/browse/METRON-93
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Casey Stella
>            Assignee: Casey Stella
>   Original Estimate: 504h
>  Remaining Estimate: 504h
>
> As it stands, the threat intel infrastructure is awkward.  Namely, different 
> threat intelligence sources must be pushed into separate hbase tables 
> (malicious_ips separate form malicious_hosts, for instance).  We'd rather 
> have one table where the type is brought into the rowkey.  Since this 
> infrastructure is generalized, also add a simple hbase enrichment adapter.
> Furthermore, the configuration for a new enrichment should be added to 
> zookeeper as part of the data load.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to