Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Noticed some errors in JSON in HCP Threat Triage document

Noticed some errors in JSON in HCP Threat Triage document

Contributor

https://docs.hortonworks.com/HDPDocuments/HCP1/HCP-1.1.0/bk_administration/content/create_threat_tri...

Content is excellent and is easy to follow and informative, I am presuming that it can only be edited by Hortonworks staff and if so could the updates be done to make it easier for others in future.

However there are multiple errors with the JSON making it invalid when trying to upload, including missing commas, oddly formatted quote marks and an extra :10, below is the incorrect version and the corrected version I managed to upload.

“triageConfig” : {
   “riskLevelRules” : [
{
“name” : “zeusList is alerted"
“comment” : “Threat intelligence enrichment type zeusList is alerted."
“rule”: "exists(threatintels.hbaseThreatIntel.domain_without_subdomains.zeusList)”
“score” : 5
}
{
“name” : “Does not end with .com or .net"
“comment” : “The URL ends with neither .com nor .net."
“rule”: “not(ENDS_WITH(domain_without_subdomains, ‘.com’) or ENDS_WITH(domain_without_subdomains, ‘.net’))“ : 10
“score” : 10
}
]
      ,“aggregator” : “MAX”
       ,”aggregationConfig” : { }
}

Should be

"triageConfig" : {
   "riskLevelRules" : [
{
"name" : "zeusList is alerted",
"comment" : “Threat intelligence enrichment type zeusList is alerted.",
"rule": "exists(threatintels.hbaseThreatIntel.domain_without_subdomains.zeusList)",
"score" : 5
},
{
"name" : "Does not end with .com or .net",
"comment" : "The URL ends with neither .com nor .net.",
"rule”: "not(ENDS_WITH(domain_without_subdomains, '.com') or ENDS_WITH(domain_without_subdomains, '.net'))",
“score” : 10
}
]
      ,"aggregator" : "MAX"
       ,"aggregationConfig" : { }
}
Don't have an account?
Coming from Hortonworks? Activate your account here