Bulk Loading TAXII Threat Intelligence Information

You can choose to skip this section and come back to it later if you don't want to apply threat intelligence information at this time.

Metron provides an extensible framework to plug in threat intel sources. The threat intelligence feeds are loaded into a threat intelligence store similar to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. When threat intelligence is applied as an enrichment to a field, HCP looks up the value of the field in the threat intelligence loaded into HBase. If the field value is found, HCP sets the is_alert field to true.

We recommend using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/Taxii. Metron provides an adapter that is able to read Soltra-produced STIX/Taxii feeds and stream them into HBase. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or poll threat intel data into HBase even without the use of a threat feed aggregator.