metron-platform/metron-integration-test/src/main/config/zookeeper/enrichments/test.json - metron - Git at Google

 {
   "enrichment": {
     "fieldMap": {
       "geo": [
         "ip_src_addr",
         "ip_dst_addr"
       ],
       "host": [
         "ip_src_addr",
         "ip_dst_addr"
       ],
       "hbaseEnrichment": [
         "ip_src_addr",
         "ip_dst_addr"
       ],
       "stellar" : {
         "config" : {
           "numeric" : {
                       "map" : "{ 'blah' : 1}"
                       ,"one" : "MAP_GET('blah', map)"
                       ,"foo": "1 + 1"
                       }
           ,"ALL_CAPS" : "TO_UPPER(source.type)"
           ,"src_enrichment" : {
             "src_classification" : "ENRICHMENT_GET('playful_classification', ip_src_addr, 'enrichments', 'cf')"
           }
           ,"dst_enrichment" : {
             "dst_classification" : "ENRICHMENT_GET('playful_classification', ip_dst_addr, 'enrichments', 'cf')"
           }
         }
       }
     }
   ,"fieldToTypeMap": {
       "ip_src_addr": [
         "playful_classification"
       ],
       "ip_dst_addr": [
         "playful_classification"
       ]
     }
   },
   "threatIntel": {
     "fieldMap": {
       "hbaseThreatIntel": [
         "ip_src_addr",
         "ip_dst_addr"
       ],
       "stellar" : {
         "config" : {
           "bar" : "TO_UPPER(source.type)"
          ,"is_src_malicious" : "ENRICHMENT_EXISTS('malicious_ip', ip_src_addr, 'threat_intel', 'cf')"
         }
       }
     },
     "fieldToTypeMap": {
       "ip_src_addr": [
         "malicious_ip"
       ],
       "ip_dst_addr": [
         "malicious_ip"
       ]
     },
     "triageConfig" : {
       "riskLevelRules" : [
         {
           "name" : "The name of the triage rule",
           "comment" : "A description of the triage rule",
           "rule" : "ip_src_addr == '10.0.2.3' or ip_dst_addr == '10.0.2.3'",
           "score": 10,
           "reason": "'Reason field'"
         }
       ],
       "aggregator" : "MAX"
     }
   }
 }
	{
	"enrichment": {
	"fieldMap": {
	"geo": [
	"ip_src_addr",
	"ip_dst_addr"
	],
	"host": [
	"ip_src_addr",
	"ip_dst_addr"
	],
	"hbaseEnrichment": [
	"ip_src_addr",
	"ip_dst_addr"
	],
	"stellar" : {
	"config" : {
	"numeric" : {
	"map" : "{ 'blah' : 1}"
	,"one" : "MAP_GET('blah', map)"
	,"foo": "1 + 1"
	}
	,"ALL_CAPS" : "TO_UPPER(source.type)"
	,"src_enrichment" : {
	"src_classification" : "ENRICHMENT_GET('playful_classification', ip_src_addr, 'enrichments', 'cf')"
	}
	,"dst_enrichment" : {
	"dst_classification" : "ENRICHMENT_GET('playful_classification', ip_dst_addr, 'enrichments', 'cf')"
	}
	}
	}
	}
	,"fieldToTypeMap": {
	"ip_src_addr": [
	"playful_classification"
	],
	"ip_dst_addr": [
	"playful_classification"
	]
	}
	},
	"threatIntel": {
	"fieldMap": {
	"hbaseThreatIntel": [
	"ip_src_addr",
	"ip_dst_addr"
	],
	"stellar" : {
	"config" : {
	"bar" : "TO_UPPER(source.type)"
	,"is_src_malicious" : "ENRICHMENT_EXISTS('malicious_ip', ip_src_addr, 'threat_intel', 'cf')"
	}
	}
	},
	"fieldToTypeMap": {
	"ip_src_addr": [
	"malicious_ip"
	],
	"ip_dst_addr": [
	"malicious_ip"
	]
	},
	"triageConfig" : {
	"riskLevelRules" : [
	{
	"name" : "The name of the triage rule",
	"comment" : "A description of the triage rule",
	"rule" : "ip_src_addr == '10.0.2.3' or ip_dst_addr == '10.0.2.3'",
	"score": 10,
	"reason": "'Reason field'"
	}
	],
	"aggregator" : "MAX"
	}
	}
	}