Re: Customize attribute name for enrichment as well as threat intel

Mon, 03 Apr 2017 07:10:25 -0700 

​I think the better option is just to use the programmatic enrichment
functionality in Stellar.   That would allow you to control the name itself.

​'computer-name': ENRICHMENT_GET(''names", ip_addr, "tb", "cf")


In reality, you may need something a little more complex, which shows off
the usefulness of Stellar.  For example, you may not know which side of the
connection is the internal host that you want to retrieve the name of.  In
this example, you would define your own function IS_INTERNAL that can
determine whether a given IP is within your protected network.  You would
grab the 'computer name' of the internal host.

           'computer-name':  if IS_INTERNAL(ip_src_addr) then
ENRICHMENT_GET("names", ip_src_addr, "tb", "cf") else
ENRICHMENT_GET("names", ip_dst_addr, "tb", "cf")


On Sun, Apr 2, 2017 at 10:44 PM, Ali Nazemian <alinazem...@gmail.com> wrote:

> Thanks, Nick. How can I make sure that the second enrichment (renaming)
> will be applied after the first enrichment? However, the naming policy
> would be more efficient because we don't need to put duplicate data inside
> Elasticsearch and HBase.
>
> On Mon, Apr 3, 2017 at 1:00 AM, Nick Allen <n...@nickallen.org> wrote:
>
>> One way to do it is just to create another enrichment specific to source
>> 3 where...
>>
>> computer_name = enrichments.hbaseEnrichments.computer_name
>>
>> I am unsure off hand if you can change the root name for an Hbase
>> enrichment.  If not, we should make that happen.
>>
>>
>>
>> On Apr 2, 2017 10:30 AM, "Ali Nazemian" <alinazem...@gmail.com> wrote:
>>
>> Hi all,
>>
>> How can I change the default attribute naming inside Metron?
>>
>> I want to normalize the Metron JSON object across several sources.
>> However, some of the sources do not provide specific attributes in the
>> primary feed.   For example, I want to know the computer name across all
>> sources.   Two of the sources may have computer name, while the third I
>> will need to do an enrichment with data in HBASE. I end up with three
>> attributes such as:
>>
>> ·         Source 1:  computer_name:x
>>
>> ·         Source 2:  computer_name:x
>>
>> ·         Source 3: enrichments.hbaseEnrichments.computer_name:x
>>
>> I want to have all three called computer_name so they may be used for
>> future correlation use cases, indexing and displaying in UI consistently.
>> How would this best be achieved?
>>
>> Cheers,
>> Ali
>>
>>
>>
>
>
> --
> A.Nazemian
>

Reply via email to