Threat Intelligence Enrichments
HCP provides an extensible framework to plug in threat intelligence sources. Each threat intelligence source has two components: an enrichment data source and an enrichment bolt. The threat intelligence feeds are bulk loaded and streamed into a threat intelligence store similarly to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. Hortonworks recommends using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/TAXII. HCP provides an adapter that is able to read Soltra-produced STIX/TAXII feeds and stream them into HBase. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or stream threat intelligence data into HBase even without the use of a threat feed aggregator.
The JSON documents for the threat intelligence enrichment configurations are structured in the following way:
Table 5.2. Threat Intelligence Enrichment Configuration
| Field | Description | Example |
|---|---|---|
fieldToTypeMap | In the case of a simple HBase threat intelligence enrichment (in other words, a key/value lookup), the mapping between fields and the enrichment types associated with those fields must be known. This enrichment type is used as part of the HBase key. |
"fieldToTypeMap" : {
"ip_src_addr" : [
"malicious_ips" ] }
|
fieldMap | The map of threat intelligence enrichment bolts names to fields in the JSON messages. Each field is sent to the threat intelligence enrichment bolt referenced in the key. |
"fieldMap":
{"hbaseThreatIntel":
["ip_src_addr","ip_dst_addr"]}
|
triageConfig | The configuration of the threat triage scorer. In the situation where a threat is detected, a score is assigned to the message and embedded in the indexed message. |
"riskLevelRules" : {
"IN_SUBNET(ip_dst_addr,
'192.168.0.0/24')" : 10 }
|
config | The general configuration for the threat intelligence. |
"config":
{"typeToColumnFamily": {
"malicious_ips" : "cf" } }
|
The config map is intended to house threat intelligence specific
configurations. For instance, the hbaseThreatIntel threat intelligence
adapter specifies the mappings between the enrichment types and the column
families.
The triageConfig field utilizes the following fields:
Table 5.3. triageConfig Fields
| Field | Description | Example |
|---|---|---|
| riskLevelRules | The mapping of Metron Query Language (see above) queries to a score. | "riskLevelRules" : { "IN_SUBNET(ip_dst_addr, '192.168.0.0/24')" : 10 } |
| aggregator | An aggregation function that takes all non-zero scores representing the
matching queries from riskLevelRules and aggregates them into a
single score. | "MAX" |
The supported aggregator functions are as follows:
- MAX
The maximum of all of the associated values for matching queries
- MIN
The minimum of all of the associated values for matching queries
- MEAN
The mean of all of the associated values for matching queries
- POSITIVE_MEAN
The mean of the positive associated values for the matching queries
The following is an example configuration for the YAF sensor:
{
"index": "yaf",
"batchSize": 5,
"enrichment": {
"fieldMap": {
"geo": [
"ip_src_addr",
"ip_dst_addr"
],
"host": [
"ip_src_addr",
"ip_dst_addr"
],
"hbaseEnrichment": [
"ip_src_addr",
"ip_dst_addr"
]
}
,"fieldToTypeMap": {
"ip_src_addr": [
"playful_classification"
],
"ip_dst_addr": [
"playful_classification"
]
}
},
"threatIntel": {
"fieldMap": {
"hbaseThreatIntel": [
"ip_src_addr",
"ip_dst_addr"
]
},
"fieldToTypeMap": {
"ip_src_addr": [
"malicious_ip"
],
"ip_dst_addr": [
"malicious_ip"
]
},
"triageConfig" : {
"riskLevelRules" : {
"ip_src_addr == '10.0.2.3' or ip_dst_addr == '10.0.2.3'" : 10
},
"aggregator" : "MAX"
}
}
}