Enriching with Threat Intelligence Information

The threat intelligence topology takes a normalized JSON message and cross references it against threat intelligence information, tags it with alerts if appropriate, runs the results against the scoring component of machine learning models where appropriate, and stores the telemetry in a data store.

Prior to configuring threat intelligence, you must meet the following requirements:
  • Choose your threat intelligence sources
  • As a best practice, install a threat intelligence feed aggregator, such as SoltraEdge
  • Mark messages as threats based on data in external data stores

  • Mark threat alerts with a numeric triage level based on a set of Stellar rules

You can bulk load threat intelligence information from the following sources:

  • CSV Ingestion

  • HDFS through MapReduce

  • Taxii Loader