Chapter 1. Overview
This guide is intended for Platform Engineers and others who are responsible for adding new telemetry data sources, enriching telemetry events, triaging threat intelligence information, and ensuring telemetry events are viewable in the user interface.
This guide walks you through how to add a specific new data telemetry: Squid proxy logs. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. For more information on Squid, see squid-cache.org.
Unlike other HCP documentation, this guide provides detailed examples that are populated with information specific to the Squid data source.
| Task | Description |
|---|---|
|
This section describes how to add a telemetry data source to HCP. | |
|
You can customize your sensor data to provide more meaningful data. | |
|
Adding enrichment information to the data source information |
After the raw security telemetry events have been parsed and normalized, the next step is to enrich the data elements of the normalized event. |
|
You can enrich your threat intelligence information just like you enriched your telemetry information. | |
|
In HCP, you assign severity by associating possibly complex conditions with
numeric scores. Then, for each message, you use a configurable aggregation function to
evaluate the set of conditions and to aggregate the set of numbers for matching
conditions. This aggregated score is added to the message in the
| |
|
The indexing topology is a topology dedicated to taking the data from a topology that has been enriched and storing the data in one or more supported indices. More specifically, the enriched data is ingested into Kafka, written in an indexing batch or bolt with a specified size, and sent to one or more specified indices. The configuration is intended to configure the indexing used for a given sensor type (for example, snort). | |
| A profile describes the behavior of an entity on a network. An entity can be a server, user, subnet, or application. Once you generate a profile defining what normal behavior looks like, you can build models that identify anomalous behavior. |
This guide assumes that you have met all of the HCP 1.3.0 prerequisites and successfully installed HCP 1.3.0.