Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

OPTIONAL: Create a Mock CSV Threat Intel Feed Source

Similar to enrichments, we need to set up a data.csv file, the extractor config JSON, and the enrichment config JSON. For this example, we use a Zeus malware tracker list located here: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist.

Hortonworks Cybersecurity Platform (HCP) is designed to work with STIX/Taxii threat feeds, but can also be bulk loaded with threat data from a CSV file. In this example, we create a mock CSV enrichment source. If your production environment, you will want to use a genuine enrichment source.

  1. Log into the $HOST_WITH_ENRICHMENT_TAG as root.
  2. Copy the contents from the Zeus malware tracker list link to a file called domainblocklist.csv.
    curl -o domainblocklist.txt https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
    Make sure you don't have an empty newline character as the last line of the CSV file, as that will result in a null pointer exception.
  3. Similarly to enrichment we will need to process this feed into a CSV so we can bulk load it into HBase:
    cat domainblocklist.txt | grep -v "^#" | grep -v "^$" | grep -v "^https" | awk '{print $1",abuse.ch"}' > domainblocklist.csv