Also available as:
loading table of contents...

Threat Intelligence Enrichments

HCP provides an extensible framework to plug in threat intelligence sources. Each threat intelligence source has two components: an enrichment data source and an enrichment bolt. The threat intelligence feeds are bulk loaded and streamed into a threat intelligence store similarly to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. Hortonworks recommends using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/TAXII. HCP provides an adapter that is able to read Soltra-produced STIX/TAXII feeds and stream them into HBase. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or stream threat intelligence data into HBase even without the use of a threat feed aggregator.

The JSON documents for the threat intelligence enrichment configurations are structured in the following way:

Table 5.2. Threat Intelligence Enrichment Configuration

fieldToTypeMapIn the case of a simple HBase enrichment, you must specify the mapping between fields and the enrichment types associated with those fields. You must also specify the enrichment type for the HBase key.
"fieldToTypeMap" : {
"ip_src_addr" : [
"malicious_ips" ] }
fieldMapThe map of threat intelligence enrichment bolts names to fields in the JSON messages. Each field is sent to the threat intelligence enrichment bolt referenced in the key.
triageConfigThe configuration of the threat triage scorer. In the situation where a threat is detected, a score is assigned to the message and embedded in the indexed message.
"riskLevelRules" : {
'')" : 10 }
configThe general configuration for the threat intelligence.
{"typeToColumnFamily": {
"malicious_ips" : "cf" } }

The config map houses threat intelligence specific configurations. For instance, the hbaseThreatIntel threat intelligence adapter specifies the mappings between the enrichment types and the column families.

The triageConfig field utilizes the following fields:

Table 5.3. triageConfig Fields

riskLevelRulesThe mapping of Metron Query Language (see above) queries to a score."riskLevelRules" : { "IN_SUBNET(ip_dst_addr, '')" : 10 }
aggregatorAn aggregation function that takes all non-zero scores representing the matching queries from riskLevelRules and aggregates them into a single score."MAX"

The supported aggregator functions are as follows:


The maximum of all of the associated values for matching queries


The minimum of all of the associated values for matching queries


The mean of all of the associated values for matching queries


The mean of the positive associated values for the matching queries

The following is an example configuration for the YAF sensor:

  "index": "yaf",
  "batchSize": 5,
  "enrichment": {
    "fieldMap": {
      "geo": [
      "host": [
      "hbaseEnrichment": [
  ,"fieldToTypeMap": {
      "ip_src_addr": [
      "ip_dst_addr": [
  "threatIntel": {
    "fieldMap": {
      "hbaseThreatIntel": [
    "fieldToTypeMap": {
      "ip_src_addr": [
      "ip_dst_addr": [
    "triageConfig" : {
      "riskLevelRules" : {
        "ip_src_addr == '' or ip_dst_addr == ''" : 10
      "aggregator" : "MAX"