Threat Intelligence Enrichments
Hortonworks Cybersecurity Platform (HCP) provides an extensible framework to plug in threat intelligence sources.
Each threat intelligence source has two components: an enrichment data source and an enrichment bolt. The threat intelligence feeds are bulk loaded and streamed into a threat intelligence store similarly to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. Hortonworks recommends using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/TAXII. HCP provides an adapter that is able to read Soltra-produced STIX/TAXII feeds and stream them into HBase. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or stream threat intelligence data into HBase even without the use of a threat feed aggregator.
The JSON documents for the threat intelligence enrichment configurations are structured in the following way:
| Field | Description | Example |
|---|---|---|
fieldToTypeMap
|
In the case of a simple HBase enrichment, you must specify the mapping between fields and the enrichment types associated with those fields. You must also specify the enrichment type for the HBase key. |
"fieldToTypeMap" : {
"ip_src_addr" : [
"malicious_ips" ] }
|
fieldMap
|
The map of threat intelligence enrichment bolts names to fields in the JSON messages. Each field is sent to the threat intelligence enrichment bolt referenced in the key. |
"fieldMap":
{"hbaseThreatIntel":
["ip_src_addr","ip_dst_addr"]}
|
triageConfig
|
The configuration of the threat triage scorer. In the situation where a threat is detected, a score is assigned to the message and embedded in the indexed message. |
"riskLevelRules" : {
"IN_SUBNET(ip_dst_addr,
'192.168.0.0/24')" : 10 }
|
config
|
The general configuration for the threat intelligence. |
"config":
{"typeToColumnFamily": {
"malicious_ips" : "cf" } }
|
The config map houses threat intelligence specific configurations. For
instance, the hbaseThreatIntel threat intelligence adapter specifies the
mappings between the enrichment types and the column families.
The triageConfig field utilizes the following fields:
| Field | Description | Example |
|---|---|---|
| riskLevelRules | The mapping of Metron Query Language (see above) queries to a score. | "riskLevelRules" : { "IN_SUBNET(ip_dst_addr, '192.168.0.0/24')" : 10 } |
| aggregator | An aggregation function that takes all non-zero scores representing the matching
queries from riskLevelRules and aggregates them into a single
score. |
"MAX" |
The supported aggregator functions are as follows:
- MAX
-
The maximum of all of the associated values for matching queries
- MIN
-
The minimum of all of the associated values for matching queries
- MEAN
-
The mean of all of the associated values for matching queries
- POSITIVE_MEAN
-
The mean of the positive associated values for the matching queries
The following is an example configuration for the YAF sensor:
{
"index": "yaf",
"batchSize": 5,
"enrichment": {
"fieldMap": {
"geo": [
"ip_src_addr",
"ip_dst_addr"
],
"host": [
"ip_src_addr",
"ip_dst_addr"
],
"hbaseEnrichment": [
"ip_src_addr",
"ip_dst_addr"
]
}
,"fieldToTypeMap": {
"ip_src_addr": [
"playful_classification"
],
"ip_dst_addr": [
"playful_classification"
]
}
},
"threatIntel": {
"fieldMap": {
"hbaseThreatIntel": [
"ip_src_addr",
"ip_dst_addr"
]
},
"fieldToTypeMap": {
"ip_src_addr": [
"malicious_ip"
],
"ip_dst_addr": [
"malicious_ip"
]
},
"triageConfig" : {
"riskLevelRules" : {
"ip_src_addr == '10.0.2.3' or ip_dst_addr == '10.0.2.3'" : 10
},
"aggregator" : "MAX"
}
}
}