metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Otto Fowler <ottobackwa...@gmail.com>
Subject Re: Enrich enrichment
Date Mon, 09 Jan 2017 15:48:56 GMT
Maybe the naming of the phases is misleading?  What if you could set up an
arbitrary number of stages, with defaults?


On January 8, 2017 at 16:25:01, Casey Stella (cestella@gmail.com) wrote:

You could do the geo enrichment normally and do a stellar hbase enrichment
in the threat Intel phase.

On Sun, Jan 8, 2017 at 16:22 Ryan Merriman <merrimanr@gmail.com> wrote:

> Hbase enrichments and geo enrichments are done in parallel so I would not
> expect this to work. You could do the Hbase enrichment as a threat Intel
> enrichment and that should work because enrichments and threat Intel are
> done in series.
>
>
>
> The ideal way would be to chain together Stellar enrichments but I don't
> think there is a geo enrichment function created yet. I think that should
> be a Jira. I know someone is working on an update to how we do geo
> enrichments so I will file a follow on Jira if it's not included in the
> scope of that work.
>
>
>
> Ryan
>
>
>
> > On Jan 8, 2017, at 2:31 PM, Dima Kovalyov <Dima.Kovalyov@sstech.us>
> wrote:
>
> >
>
> > Is it possible to enrich enrichment?
>
> >
>
> > For example I have IP address, I enrich it with geo and get City name,
>
> > now I want to enrich City name with city crime level (assume I have
that
>
> > data). But when I do that it just does not work. I specify enrichment
>
> > like that:
>
> >> {
>
> >> "index" : "msexchange",
>
> >> "batchSize" : 5,
>
> >> "enrichment" : {
>
> >> "fieldMap" : {
>
> >> "geo" : [ "destination_ip", "source_ip" ],
>
> >> "hbaseEnrichment" : [ "enrichments.geo.destination_ip.country" ],
>
> >> "hbaseEnrichment" : [ "enrichments:geo:destination_ip:country" ],
>
> >> "hbaseEnrichment" : [ "enrichments.geo.destination_ip:country" ]
>
> >> },
>
> >> "fieldToTypeMap" : {
>
> >> "enrichments.geo.destination_ip.country" : [ "city_crime_level" ],
>
> >> "enrichments:geo:destination_ip:country" : [ "city_crime_level" ],
>
> >> "enrichments.geo.destination_ip:country" : [ "city_crime_level" ]
>
> >> },
>
> >> "config" : { }
>
> >> },
>
> >> "threatIntel" : {
>
> >> "fieldMap" : { },
>
> >> "fieldToTypeMap" : { },
>
> >> "config" : { },
>
> >> "triageConfig" : {
>
> >> "riskLevelRules" : { },
>
> >> "aggregator" : "MAX",
>
> >> "aggregationConfig" : { }
>
> >> }
>
> >> },
>
> >> "configuration" : { }
>
> >> }
>
> > I tried all the ways how enrichment field can be entered just to be
sure
>
> > I do not mistype it.
>
> >
>
> > - Dima
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message