Prerequisites to Adding a New Telemetry Data Source
Before you add a new telemetry data source, you must ensure that your system set up meets the Hortonworks Cybersecurity Platform (HCP) requirements.
-
Ensure that the new sensor is installed and set up.
-
Ensure that Apache NiFi or another telemetry data collection tool can feed the telemetry data source events into an Apache Kafka topic.
-
Determine your requirements.
For example, you might decide that you need to meet the following requirements:
-
Proxy events from the data source logs must be ingested in real-time.
-
Proxy logs must be parsed into a standardized JSON structure suitable for analysis by Metron.
-
In real-time, new data source proxy events must be enriched so that the domain names contain the IP information.
-
In real-time, the IP within the proxy event must be checked against for threat intelligence feeds.
-
If there is a threat intelligence hit, an alert must be raised.
-
The SOC analyst must be able to view new telemetry events and alerts from the new data source.
-
-
Set HCP values.
When you install HCP, you set up several hosts. Note the locations of these hosts, their port numbers, and the Metron version for future use:
- KAFKA_HOST
-
The host on which a Kafka broker is installed.
- ZOOKEEPER_HOST
-
The host on which an Apache ZooKeeper server is installed.
- PROBE_HOST
-
The host on which your sensor probes are installed. If you do not have any sensors installed, choose the host on which an Apache Storm supervisor is running.
- NIFI_HOST
-
The host on which you install Apache NiFi.
- HOST_WITH_ENRICHMENT_TAG
-
The host in your inventory hosts file that you put in the "enrichment" group.
- SEARCH_HOST
-
The host on which Amazon Elasticsearch or Apache Solr is running. This is the host in your inventory hosts file that you put in the "search" group. Pick one of the search hosts.
- SEARCH_HOST_PORT
-
The port of the search host where indexing is configured. (For example, 9300)
- METRON_UI_HOST
-
The host on which your Metron UI web application is running. This is the host in your inventory hosts file that you put in the "web" group.
- METRON_VERSION
-
The release of the Metron binaries you are working with. (For example, HCP-1.5.1.0)