metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dima Kovalyov <Dima.Koval...@sstech.us>
Subject Enrich enrichment
Date Sun, 08 Jan 2017 20:31:26 GMT
Is it possible to enrich enrichment?

For example I have IP address, I enrich it with geo and get City name,
now I want to enrich City name with city crime level (assume I have that
data). But when I do that it just does not work. I specify enrichment
like that:
> {
>   "index" : "msexchange",
>   "batchSize" : 5,
>   "enrichment" : {
>     "fieldMap" : {
>       "geo" : [ "destination_ip", "source_ip" ],
>       "hbaseEnrichment" : [ "enrichments.geo.destination_ip.country" ],
>         "hbaseEnrichment" : [ "enrichments:geo:destination_ip:country" ],
>         "hbaseEnrichment" : [ "enrichments.geo.destination_ip:country" ]
>     },
>     "fieldToTypeMap" : {
>       "enrichments.geo.destination_ip.country" : [ "city_crime_level" ],
>       "enrichments:geo:destination_ip:country" : [ "city_crime_level" ],
>       "enrichments.geo.destination_ip:country" : [ "city_crime_level" ]
>     },
>     "config" : { }
>   },
>   "threatIntel" : {
>     "fieldMap" : { },
>     "fieldToTypeMap" : { },
>     "config" : { },
>     "triageConfig" : {
>       "riskLevelRules" : { },
>       "aggregator" : "MAX",
>       "aggregationConfig" : { }
>     }
>   },
>   "configuration" : { }
> }
I tried all the ways how enrichment field can be entered just to be sure
I do not mistype it.

- Dima

Mime
View raw message