Enriching with Threat Intelligence Information
The threat intelligence topology takes a normalized JSON message and cross references it against threat intelligence information, tags it with alerts if appropriate, runs the results against the scoring component of machine learning models where appropriate, and stores the telemetry in a data store.
- Choose your threat intelligence sources
- As a best practice, install a threat intelligence feed aggregator, such as SoltraEdge
-
Mark messages as threats based on data in external data stores
-
Mark threat alerts with a numeric triage level based on a set of Stellar rules
You can bulk load threat intelligence information from the following sources:
-
CSV Ingestion
-
HDFS through MapReduce
-
Taxii Loader