This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Skip to end of metadata
Go to start of metadata
  • Metron currently provides an extensible framework to plug in threat intel sources.  Each threat intel source has two components: an enrichment data source and an enrichment bolt.  The threat intelligence feeds are bulk loaded and streamed into a threat intelligence store similarly to how the enrichment feeds are loaded.  The keys are loaded in a key-value format.   The key is the indicator and the value is the JSON formatted description of what the indicator is.  It is recommended to use a threat feed aggregator such as Soltra to dedup and normalize the feeds via Stix/Taxii.  Metron provides an adapter that is able to read Soltra-produced Stix/Taxii feeds and stream them into HBase, which is the data store of choice to back high-speed threat intel lookups of Metron.  Metron additionally provides a flat file and Stix bulk loader that can normalize, dedup, and bulk load or stream threat intel data into HBase even without the use of a threat feed aggregator.  




The following threat intel feeds and formats are supported by Metron's threat intel loader framework:

Threat FeedFeed IndicatorsFeed FormatFeed DescriptionFeed LinkRefresh Rate
SoltraMultipleStix/TaxiiThreat Intel Feed Aggregator every 5 minutes
Hail A Taxi


Stix/TaxiiExternal Stix/Taxii Feed every 5 minutes
 ...More to come    
  • No labels