Run Book
Also available as:
PDF

Chapter 1. Overview

This guide is intended for Platform Engineers and others who are responsible for adding new telemetry data sources, enriching telemetry events, triaging threat intelligence information, and ensuring telemetry events are viewable in the user interface.

This guide walks you through how to add a specific new data telemetry: Squid proxy logs. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. For more information on Squid, see squid-cache.org.

Unlike other HCP documentation, this guide provides detailed examples that are populated with information specific to the Squid data source.

TaskDescription

Adding a New Telemetry Data Source

This section describes how to add a telemetry data source to HCP.

Transform the Squid Message

You can customize your sensor data to provide more meaningful data.

Enriching Telemetry Events

After the raw security telemetry events have been parsed and normalized, the next step is to enrich the data elements of the normalized event.

Enriching Threat Intelligence Information

You can enrich your threat intelligence information just like you enriched your telemetry information.

Prioritizing Threat Intelligence

Not all threat intelligence indicators are equal. Some require immediate response, while others can be dealt with or investigated as time and availability permits. As a result you need to triage and rank threats by severity.

In HCP, you assign severity by associating possibly complex conditions with numeric scores.

Configuring Indexing

The indexing topology is a topology dedicated to taking the data from a topology that has been enriched and storing the data in one or more supported indices. More specifically, the enriched data is ingested into Kafka, written in an indexing batch or bolt with a specified size, and sent to one or more specified indices. The configuration is intended to configure the indexing used for a given sensor type (for example, snort).

Setting Up a Profile

A profile describes the behavior of an entity on a network. An entity can be a server, user, subnet, or application. Once you generate a profile defining what normal behavior looks like, you can build models that identify anomalous behavior.

This guide assumes that you have met all of the HCP 1.2.2 prerequisites and successfully installed HCP 1.2.2.