Run Book - Technical Preview
Also available as:

Chapter 1. Overview

This guide is intended for Platform Engineers and others who are responsible for adding new telemetry data sources, enriching telemetry events, triaging threat intelligence information, and ensuring telemetry events are viewable in the user interface.

This guide walks you through how to add a specific new data telemetry: Squid proxy logs. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. For more information on Squid, see

Unlike other HCP documentation, this guide provides detailed examples that are populated with information specific to the Squid data source.


Adding a new data source

This section describes how to add a telemetry data source to HCP.

Transforming the data source information

You can customize your sensor data to provide more meaningful data.

Adding enrichment information to the data source information

After the raw security telemetry events have been parsed and normalized, the next step is to enrich the data elements of the normalized event.

Enriching threat intelligence information

You can enrich your threat intelligence information just like you enriched your telemetry information.

Prioitizing the threat intelligence information

In HCP, you assign severity by associating possibly complex conditions with numeric scores. Then, for each message, you use a configurable aggregation function to evaluate the set of conditions and to aggregate the set of numbers for matching conditions. This aggregated score is added to the message in the threat.triage.level field.

Configuring indexing

The indexing topology is a topology dedicated to taking the data from a topology that has been enriched and storing the data in one or more supported indices. More specifically, the enriched data is ingested into Kafka, written in an indexing batch or bolt with a specified size, and sent to one or more specified indices. The configuration is intended to configure the indexing used for a given sensor type (for example, snort).

Setting up a Profile

A profile describes the behavior of an entity on a network. An entity can be a server, user, subnet, or application. Once you generate a profile defining what normal behavior looks like, you can build models that identify anomalous behavior.

This guide assumes that you have met all of the HCP 1.3.0 prerequisites and successfully installed HCP 1.3.0.