Enriching Threat Intelligence Information
You can enrich your telemetry with threat intelligence information.
You can choose to skip this section and come back to it later if you don't want to apply threat intelligence at this time.
Cloudera Cybersecurity
Platform (CCP) provides an extensible framework to plug in threat intelligence sources. The
threat intelligence feeds are loaded into a threat intelligence store similar to how the
enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the
indicator and the value is the JSON formatted description of what the indicator is. When
threat intelligence is applied as an enrichment to a field, CCP looks up the value of the
field in the threat intelligence loaded into HBase. If the field value is found, CCP sets
the is_alert
field to true.
You can bulk load threat intelligence information from the following sources:
-
CSV Ingestion
-
HDFS through MapReduce
-
Taxii Loader
We recommend using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/Taxii. CCP provides an adapter that is able to read Soltra-produced STIX/Taxii feeds and stream them into HBase. CCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or poll threat intel data into HBase even without the use of a threat feed aggregator.