RE: taxiiloader

[Vladimir Shlyakhtin]

Christian, I can suggest this article as well.
One notice for enrichment config. For me it works if I set "domainname:FQDN" as 
enrichment type.
Here is example of parser config that I use:
<<CUT>>
  "threatIntel" : {
    "fieldMap": {
      "hbaseThreatIntel": ["dst_host"]
    },
    "fieldToTypeMap":
      {
      "dst_host" : ["domainname:FQDN"]
    },
    "triageConfig" : {
      "riskLevelRules" : {
        "exists(threatintels.hbaseThreatIntel.dst_host.domainname:FQDN)": 10
      },
      "aggregator" : "MAX"
    }
  }
<<CUT>>


Regards,

- Vladimir
________________________________
From: Anand Subramanian [asubraman...@hortonworks.com]
Sent: Tuesday, May 09, 2017 1:14 PM
To: user@metron.apache.org
Subject: Re: taxiiloader

Christian,

Can you try the steps in this article?
https://community.hortonworks.com/articles/59698/pushing-stixtaxii-feeds-from-opentaxii-server-into.html

Both extractor and enrichment configs are requisites.

Regards,
Anand

From: Metron <met...@trasec.de<mailto:met...@trasec.de>>
Reply-To: "user@metron.apache.org<mailto:user@metron.apache.org>" 
<user@metron.apache.org<mailto:user@metron.apache.org>>
Date: Tuesday, May 9, 2017 at 8:45 PM
To: "user@metron.apache.org<mailto:user@metron.apache.org>" 
<user@metron.apache.org<mailto:user@metron.apache.org>>
Subject: taxiiloader


Does anyone have any pointers for getting Taxiiloader to work?

I’m trying my best going through 
http://metron.incubator.apache.org/current-book/metron-platform/metron-data-management/index.html
 but can’t get any data into Hbase.



It seems the taxiiloader script requires three config files

1.       Taxi config

That makes perfect sense, where do we get the data from and where do we store it

Since two data sources are documented as “supported” 
(https://cwiki.apache.org/confluence/display/METRON/Threat+Intelhailataxii and 
soltra) wouldn’t it make sense to include sample configs to fetch data from 
there? Does the config support arrays to fetch from multiple sources/feeds or 
is it expected to have a config file per source?

In the documentation 
https://github.com/apache/incubator-metron/tree/master/metron-platform/metron-data-management
 the example uses ‘threat_intel’ as table, shouldn’t it be ‘threatintel’? What 
does “columnFamily: cf” mean?

2.       Extractor config

This seems to map STIX attributes somehow; not sure if I have to specify this. 
The enrichment types are already in the taxi config and I don’t see why the 
mapping would change

Having a meaningful default configuration would make a lot of sense here

3.       Enrichment config

I’m completely lost here

The information seems to be redundant with the parser specific configuration 
/usr/metron/0.4.0/conf/zookeeper/enrichment/<parser-name>.json already had 
mapping field to “malicious_ip”

Why is it required to specify how the data will be used at import time at all?



Now I stumbled across the opentaxii role. I guess this comes from an ansible 
install, but as I followed the bare metal install guide, I don’t have this 
role. Is it needed or just for convenience? (Since the data will be stored 
locally in Hbase anyway I don’t see the benefit in aggregating it before 
consumption).









Best regards,

    Christian