Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

Enriching Threat Intelligence Information

You can enrich your telemetry with threat intelligence information.

You can choose to skip this section and come back to it later if you don't want to apply threat intelligence at this time.

HCP provides an extensible framework to plug in threat intelligence sources. The threat intelligence feeds are loaded into a threat intelligence store similar to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. When threat intelligence is applied as an enrichment to a field, HCP looks up the value of the field in the threat intelligence loaded into HBase. If the field value is found, HCP sets the is_alert field to true.

You can bulk load threat intelligence information from the following sources:

  • CSV Ingestion

  • HDFS through MapReduce

  • Taxii Loader

We recommend using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/Taxii. HCP provides an adapter that is able to read Soltra-produced STIX/Taxii feeds and stream them into HBase. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or poll threat intel data into HBase even without the use of a threat feed aggregator.