Enriching Threat Intelligence Information
You can enrich your telemetry with threat intelligence information.
You can choose to skip this section and come back to it later if you don't want to apply threat intelligence at this time.
HCP provides an extensible
framework to plug in threat intelligence sources. The threat intelligence feeds are loaded
into a threat intelligence store similar to how the enrichment feeds are loaded. The keys
are loaded in a key-value format. The key is the indicator and the value is the JSON
formatted description of what the indicator is. When threat intelligence is applied as an
enrichment to a field, HCP looks up the value of the field in the threat intelligence loaded
into HBase. If the field value is found, HCP sets the
is_alert field to
You can bulk load threat intelligence information from the following sources:
HDFS through MapReduce
We recommend using a threat feed aggregator such as Soltra to dedup and normalize the feeds via STIX/Taxii. HCP provides an adapter that is able to read Soltra-produced STIX/Taxii feeds and stream them into HBase. HCP additionally provides a flat file and STIX bulk loader that can normalize, dedup, and bulk load or poll threat intel data into HBase even without the use of a threat feed aggregator.