Administration
Copyright © 2012-2018 Hortonworks, Inc.
 | Except where otherwise noted, this document is licensed under Creative Commons Attribution ShareAlike 4.0 License |
2018-05-18
Abstract
Hortonworks Cybersecurity Platform (HCP) is a modern data application based on Apache Metron, powered by Apache Hadoop, Apache Storm, and related technologies.
HCP provides a framework and tools to enable greater efficiency in Security Operation Centers (SOCs) along with better and faster threat detection in real-time at massive scale. It provides ingestion, parsing and normalization of fully enriched, contextualized data, threat intelligence feeds, triage and machine learning based detection. It also provides end user near real-time dashboarding.
Based on a strong foundation in the Hortonworks Data Platform (HDP) and Hortonworks DataFlow (HDF) stacks, HCP provides an integrated advanced platform for security analytics.
Please visit the Hortonworks Data Platform page for more information on Hortonworks technology. For more information on Hortonworks services, please visit either the Support or Training page. Feel free to Contact Us directly to discuss your specific needs.
Contents
- 1. HCP Information Roadmap
- 2. Understanding Hortonworks Cybersecurity Suite
- 3. Configuring and Customizing HCP
- Adding a New Telemetry Data Source
- Telemetry Data Source Parsers Bundled with HCP
- Prerequisites to Adding a New Telemetry Data Source
- Understanding Streaming Data into HCP
- Streaming Data Using NiFi
- Understanding Parsing a New Data Source to HCP
- Elasticsearch Type Mapping Changes
- Creating a Parser for Your New Data Source by Using the Management Module
- Transform Your New Data Source Parser Information by Using the Management Module
- Tuning Parser Storm Parmeters
- Create a Parser for Your New Data Source by Using the CLI
- Verifying That Events Are Indexed
- Enriching Telemetry Events
- Configuring Indexing
- Preparing to Configure Threat Intelligence
- Prioritizing Threat Intelligence
- Setting Up Enrichment Configurations
- Understanding Global Configuration
- Creating Global Configurations
- Understanding the Profiler
- Creating an Index Template
- Configuring the Metron Dashboard to View the New Data Source Telemetry Events
- Setting up pcap to View Your Raw Data
- Troubleshooting Parsers
- 4. Monitor and Manage
- Understanding Throughput
- Updating Properties
- Understanding ZooKeeper Configurations
- Managing Sensors
- Monitoring Sensors
- Starting and Stopping Parsers
- Starting and Stopping Enrichments
- Starting and Stopping Indexing
- Pruning Data from Elasticsearch
- Tuning Apache Solr
- Backing Up the Metron Dashboard
- Restoring Your Metron Dashboard Backup
- 5. Concepts
List of Figures
- 2.1. HCP Architecture
- 3.1. Indexing Data Flow
- 3.2. NiFi Configure Processor
- 3.3. Configure Processor Settings Tab
- 3.4. Configure Processor Properties Tab
- 3.5. Create Connection Dialog Box
- 3.6. NiFi Dataflow
- 3.7. Operate Panel
- 3.8. Threat Intel Configuration
- 3.9. New Schema Information Panel
- 3.10. Threat Triage Rules Panel
- 3.11. Edit Rule Panel
- 3.12. Investigation Module Triaged Alert Panel
- 4.1. Management Module Main Window
- 4.2. Management Module Main Window
- 4.3. Sensor Panel
- 4.4. ambari_configs_parsers.png
- 4.5. Error Dashboard
- 4.6. Ambari Services Tab
- 4.7. Confirmation Dialog Box
- 4.8. Ambari Background Operations
- 4.9. Ambari Metron Summary Window
- 4.10. Components Window
- 4.11. Ambari Metron Summary Window
- 4.12. Components Window
- 4.13. Ambari Metron Summary Window
- 4.14. Components Window
- 5.1. Configuration File with Transformation Information
- 5.2. HCP Enrichment Flow