Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Overview

You can use the Threat Analytics Manager to apply a previously created lookup table (LUT).  Applying a lookup table describes the process of indicating the lookup table name to apply, as well as the Data Group to apply the lookup table, and the record type (eg. Apache).  

 

About Records:

A lighter weight IKANOW object format for storing logs, term/record volumes, or statistics. A very common use case for logs/records is in Dev. Ops environments where log files need to be filtered and appropriately analyzed. Using the IKANOW record format it is easy to filter log files, define column names, and determine geo ip information for example. This record data can then be analyzed along with other IKANOW documents for log analysis and big data cyber analytics within one platform.

Applying a Lookup Table Using the Manager

To build a lookup table

  1. From the Treat Analytics Dashboard, click on Data Sources (top right).
  2. Click on Add New Source.
  3. Under "What kind of source would you like to create?" specify "Lookup table applier."
  4. Click on Next.

  5. Specify the the fields as defined in the table below.

    FieldDescriptionNote
    Record Typeeg. Apache, Netflow, SNORT etc. 
    CommunitiesData Group that the LUT will be applied to. Should be Data Group, not Communities.
    Lookup Table NameLUT that will be applied to the data in the Data Group. 
    Key FieldKey field of the LUT. 
  6. Click on Next.

Configuring and Testing

Once you have made the input settings, you will need to perform additional configuration and testing.

To configure and test

  1. Provide a name for the source.
  2. Select the previously created Data Group.
  3. Select the Media Type.
  4. Specify the frequency at which the source should be harvested (eg. Once per day).
  5. Click on Test Source.

About Testing

If the source has been configured properly testing with return test results, and you will be able to move forward with Publishing the new source.  Otherwise, a failure message is generated which can be used for troubleshooting (currently it only says FAIL).  You can always Save your source and come back to fix any testing errors later.

Saving or Publishing

Saving 

To save the source after testing

  • Click on Save.

The source is saved and you are re-directed to the Source Manager.

Publishing

To publish the source after testing

  • Click on Publish.

The source is published and you are re-directed to the list Source Manager.

In this section:

 

Related Documentation:

Manager Interface Reference

 

  • No labels