Skip to content
This repository was archived by the owner on Aug 20, 2025. It is now read-only.

METRON-183 Allow the simple hbase enrichment adapter and simple threat intel adapter to use multiple column families #131

Closed
cestella wants to merge 2 commits into from
Closed

METRON-183 Allow the simple hbase enrichment adapter and simple threat intel adapter to use multiple column families #131

cestella wants to merge 2 commits into from

Conversation

@cestella
Copy link
Member

@cestella cestella commented May 23, 2016

Allow the simple hbase enrichment adapter and simple threat intel adapter to use multiple column families. As it stands, the table and column family used are configured at topology submission time rather than via zookeeper. It makes sense to allow different enrichment types to be associated with different column families so that column family specific configuration, such as retention policies, can be used per enrichment type.

@merrimanr
Copy link
Contributor

merrimanr commented May 27, 2016

+1

@james-sirota
Copy link

james-sirota commented May 29, 2016

The docs should probably be moved out of common to the enrichment topology

@james-sirota
Copy link

james-sirota commented May 29, 2016

What am I supposed to do to validate this? I see there is now a CF field in the enrichment and threat intel loaders and it bulk loads HBase with that CF. Is that it?

@cestella
Copy link
Member Author

cestella commented May 29, 2016

The way to validate this is to

  • Create a second column family on the enrichment HBase table, say cf1
  • Push some enrichment data into the table in that column family. Something similar to the malicious IP's from the blog post. I'd suggest calling the enrichment type malicious_ip
  • Modify the configs for one of the topologies you want to test in /usr/metron/0.1BETA/config/zookeeper/enrichment to add a config section under threatIntel marking that malicious_ip should come from column family cf1 like the following
{
      "index": "bro",
      "batchSize": 5,
      "threatIntel": {
        "fieldMap": {
           "hbaseThreatIntel" : [ "ip_dst_addr" ]
        },
      "fieldToTypeMap": {
        "ip_dst_addr" : [ "malicious_ip" ]
        },
      "config" : {
          "typeToColumnFamily" : {
                        "malicious_ip" : "cf1"
                                 }
                }
      }
 }
  • Run some data through and ensure that enrichments still exist.

@cestella
Copy link
Member Author

cestella commented May 29, 2016

As it stands, we have the docs for the configs with where the configurations live. I think you are absolutely right that we need to move them closer to the place where they are used, rather than where the configuration objects are defined.

@james-sirota
Copy link

james-sirota commented May 30, 2016

+1. I was able to put the enrichments into different column families and have the message enriched appropriately

@asfgit asfgit closed this in ab8163b May 30, 2016
asfgit pushed a commit that referenced this pull request Jun 24, 2016
@cestella
METRON-183 Allow the simple hbase enrichment adapter and simple threa…
78dfeb0 
…t intel adapter to use multiple column families closes #131
asfgit pushed a commit that referenced this pull request Jun 24, 2016
@cestella
METRON-183 Allow the simple hbase enrichment adapter and simple threa…
b6f7a1a 
…t intel adapter to use multiple column families closes #131
@mmiklavc mmiklavc mentioned this pull request Oct 21, 2016
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cestella @merrimanr @james-sirota