THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
- Metron currently provides an extensible framework to plug in threat intel sources. Each threat intel source has two components: an enrichment data source and an enrichment bolt. The threat intelligence feeds are bulk loaded and streamed into a threat intelligence store similarly to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. It is recommended to use a threat feed aggregator such as Soltra to dedup and normalize the feeds via Stix/Taxii. Metron provides an adapter that is able to read Soltra-produced Stix/Taxii feeds and stream them into HBase, which is the data store of choice to back high-speed threat intel lookups of Metron. Metron additionally provides a flat file and Stix bulk loader that can normalize, dedup, and bulk load or stream threat intel data into HBase even without the use of a threat feed aggregator.
The following threat intel feeds and formats are supported by Metron's threat intel loader framework:
| Threat Feed | Feed Indicators | Feed Format | Feed Description | Feed Link | Refresh Rate |
|---|---|---|---|---|---|
| Soltra | Multiple | Stix/Taxii | Threat Intel Feed Aggregator | https://soltra.com/ | Poll every 5 minutes |
| Hail A Taxi | Multiple | Stix/Taxii | External Stix/Taxii Feed | http://hailataxii.com/ | Poll every 5 minutes |
| ...More to come |