Details
-
Improvement
-
Status: Done
-
Minor
-
Resolution: Done
-
None
-
None
Description
When creating enrichments, I often find that I want to validate that the enrichment I just created was successful on the live, incoming stream of telemetry. My workflow looks something like this.
1. Create and test the enrichment that I want to create.
[Stellar]>>> ip_src_addr := "72.34.49.86"
72.34.49.86
[Stellar]>>> geo := GEO_GET(ip_src_addr)
{country=US, dmaCode=803, city=Los Angeles, postalCode=90014, latitude=34.0438, location_point=34.0438,-118.2512, locID=5368361, longitude=-118.2512}
2. That looks good to me. Now let's add that to my Bro telemetry.
[Stellar]>>> conf := SHELL_EDIT(conf)
{
"enrichment" : {
"fieldMap": {
"stellar": {
"config": [
"geo := GEO_GET(ip_src_addr)"
]
}
}
},
"threatIntel": {
}
}
[Stellar]>>> CONFIG_PUT("ENRICHMENTS", e, "bro")
3. It looks like that worked, but did that really work?
At this point, I would run KAFKA_GET as many times as it takes to retrieve a Bro message. You would just have to get lucky and hope that the enrichment worked and secondly that you would pull down a Bro message (as opposed to a different sensor).
I would rather have a function that lets me only pull back the messages that I care about. In this case I could either retrieve only Bro messages.
KAFKA_FIND('indexing', m -> MAP_GET('source.type', m) == 'bro')
Or I could look for messages that contain geolocation data.
KAFKA_FIND('indexing', m -> MAP_EXISTS('geo.city', m))
Attachments
Issue Links
- relates to
-
METRON-2236 KAFKA_SEEK and KAFKA_FIND missing documentation
-
- To Do
-
- links to
