The input to this topology is the normalized Metron JSON produced by the Parser/Normalizing Topology. The output of this topology is written to a number of data stores supported by Metron. There are two streams: a message stream and an enrichment stream(s). The message stream carries the original message, while the enrichment stream tack on additional enrichments or pieces of threat intelligence to the message.
Bolt Name | Functionality | References |
---|---|---|
Enrichment Splitter | This bolt extracts fields and values from a message that can be enriched and sends them to the appropriate enrichment bolt. The configuration for which fields have an associated enrichment is stored in Zookeper. | |
Enrichment Bolt | This bolt takes the enrichment information from the splitter bolt (key + value), extracts the value, cross references the value against the enrichment store, and then sends the value of the enrichment to the joiner bolt. There can be n enrichment bolts and each enrichment bolt has to be associated with a back end store (which is primarily Hbase). These bolts also use an in-memory cache so they don't thrash the back end reference store. There is a corresponding bulk loader provided per enrichment to be able to bootstrap the enrichment store | |
Enrichment Joiner Bolt | ||
Threat Intel Splitter Bolt | ||
Threat Intel Bolt | ||
Threat Intel Joiner Bolt | ||
Writer Bolt | See Supported Data Stores for a list of available extensions |