Christian, Can you try the steps in this article? https://community.hortonworks.com/articles/59698/pushing-stixtaxii-feeds-from-opentaxii-server-into.html
Both extractor and enrichment configs are requisites. Regards, Anand From: Metron <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, May 9, 2017 at 8:45 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: taxiiloader Does anyone have any pointers for getting Taxiiloader to work? I’m trying my best going through http://metron.incubator.apache.org/current-book/metron-platform/metron-data-management/index.html but can’t get any data into Hbase. It seems the taxiiloader script requires three config files 1. Taxi config That makes perfect sense, where do we get the data from and where do we store it Since two data sources are documented as “supported” (https://cwiki.apache.org/confluence/display/METRON/Threat+Intelhailataxii and soltra) wouldn’t it make sense to include sample configs to fetch data from there? Does the config support arrays to fetch from multiple sources/feeds or is it expected to have a config file per source? In the documentation https://github.com/apache/incubator-metron/tree/master/metron-platform/metron-data-management the example uses ‘threat_intel’ as table, shouldn’t it be ‘threatintel’? What does “columnFamily: cf” mean? 2. Extractor config This seems to map STIX attributes somehow; not sure if I have to specify this. The enrichment types are already in the taxi config and I don’t see why the mapping would change Having a meaningful default configuration would make a lot of sense here 3. Enrichment config I’m completely lost here The information seems to be redundant with the parser specific configuration /usr/metron/0.4.0/conf/zookeeper/enrichment/<parser-name>.json already had mapping field to “malicious_ip” Why is it required to specify how the data will be used at import time at all? Now I stumbled across the opentaxii role. I guess this comes from an ansible install, but as I followed the bare metal install guide, I don’t have this role. Is it needed or just for convenience? (Since the data will be stored locally in Hbase anyway I don’t see the benefit in aggregating it before consumption). Best regards, Christian
