Understanding Enrichment
Also available as:
PDF

Threat Intelligence Enrichments

Hortonworks Cybersecurity Platform (HCP) provides an extensible framework to plug in threat intelligence sources.

Each threat intelligence source has two components: an enrichment data source and an enrichment bolt. The threat intelligence feeds are bulk loaded and streamed into a threat intelligence store similarly to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. Hortonworks recommends using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/TAXII. HCP provides an adapter that is able to read Soltra-produced STIX/TAXII feeds and stream them into HBase. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or stream threat intelligence data into HBase even without the use of a threat feed aggregator.

The JSON documents for the threat intelligence enrichment configurations are structured in the following way:

Table 1. Threat Intelligence Enrichment Configuration
Field Description Example
fieldToTypeMap In the case of a simple HBase enrichment, you must specify the mapping between fields and the enrichment types associated with those fields. You must also specify the enrichment type for the HBase key.
"fieldToTypeMap" : { 
"ip_src_addr" : [ 
"malicious_ips" ] }
fieldMap The map of threat intelligence enrichment bolts names to fields in the JSON messages. Each field is sent to the threat intelligence enrichment bolt referenced in the key.
"fieldMap": 
{"hbaseThreatIntel": 
["ip_src_addr","ip_dst_addr"]}
triageConfig The configuration of the threat triage scorer. In the situation where a threat is detected, a score is assigned to the message and embedded in the indexed message.
"riskLevelRules" : { 
"IN_SUBNET(ip_dst_addr, 
'192.168.0.0/24')" : 10 }
config The general configuration for the threat intelligence.
"config": 
{"typeToColumnFamily": { 
"malicious_ips" : "cf" } }

The config map houses threat intelligence specific configurations. For instance, the hbaseThreatIntel threat intelligence adapter specifies the mappings between the enrichment types and the column families.

The triageConfig field utilizes the following fields:

Table 2. triageConfig Fields
Field Description Example
riskLevelRules The mapping of Metron Query Language (see above) queries to a score. "riskLevelRules" : { "IN_SUBNET(ip_dst_addr, '192.168.0.0/24')" : 10 }
aggregator An aggregation function that takes all non-zero scores representing the matching queries from riskLevelRules and aggregates them into a single score. "MAX"

The supported aggregator functions are as follows:

MAX

The maximum of all of the associated values for matching queries

MIN

The minimum of all of the associated values for matching queries

MEAN

The mean of all of the associated values for matching queries

POSITIVE_MEAN

The mean of the positive associated values for the matching queries

The following is an example configuration for the YAF sensor:

{
  "index": "yaf",
  "batchSize": 5,
  "enrichment": {
    "fieldMap": {
      "geo": [
        "ip_src_addr",
        "ip_dst_addr"
      ],
      "host": [
        "ip_src_addr",
        "ip_dst_addr"
      ],
      "hbaseEnrichment": [
        "ip_src_addr",
        "ip_dst_addr"
      ]
    }
  ,"fieldToTypeMap": {
      "ip_src_addr": [
        "playful_classification"
      ],
      "ip_dst_addr": [
        "playful_classification"
      ]
    }
  },
  "threatIntel": {
    "fieldMap": {
      "hbaseThreatIntel": [
        "ip_src_addr",
        "ip_dst_addr"
      ]
    },
    "fieldToTypeMap": {
      "ip_src_addr": [
        "malicious_ip"
      ],
      "ip_dst_addr": [
        "malicious_ip"
      ]
    },
    "triageConfig" : {
      "riskLevelRules" : {
        "ip_src_addr == '10.0.2.3' or ip_dst_addr == '10.0.2.3'" : 10
      },
      "aggregator" : "MAX"
    }
  }
}