Enriching Threat Intelligence Information
You can enrich your telemetry with threat intelligence information.
You can choose to skip this section and come back to it later if you don't want to apply threat intelligence at this time.
Platform (CCP) provides an extensible framework to plug in threat intelligence sources. The
threat intelligence feeds are loaded into a threat intelligence store similar to how the
enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the
indicator and the value is the JSON formatted description of what the indicator is. When
threat intelligence is applied as an enrichment to a field, CCP looks up the value of the
field in the threat intelligence loaded into HBase. If the field value is found, CCP sets
is_alert field to true.
You can bulk load threat intelligence information from the following sources:
HDFS through MapReduce
We recommend using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/Taxii. CCP provides an adapter that is able to read Soltra-produced STIX/Taxii feeds and stream them into HBase. CCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or poll threat intel data into HBase even without the use of a threat feed aggregator.