Run Book - Technical Preview
Also available as:
PDF

Chapter 5. Enriching Threat Intelligence Information

You can enrich your threat intelligence information just like you enriched your telemetry information.

You can choose to skip this section and come back to it later if you don't want to enrich your threat intelligence information at this time.

Metron provides an extensible framework to plug in threat intel sources. Each threat intel source has two components: an enrichment data source and an enrichment bolt. The threat intelligence feeds are loaded into a threat intelligence store similar to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is.

We recommend using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/Taxii. Metron provides an adapter that is able to read Soltra-produced STIX/Taxii feeds and stream them into HBase, which is the preferred data store to back high-speed threat intel lookups on HCP. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or poll threat intel data into HBase even without the use of a threat feed aggregator.