Metron currently provides an extensible framework to plug in threat intel sources. Each threat intel source has two components: an enrichment data source and enrichment bolt. The threat intelligence feeds are bulk loaded and streamed into a threat intelligence store similarly to how the enrichment feeds are loaded. The keys are loaded in a key-value format. The key is the indicator and the value is the JSON formatted description of what the indicator is. It is recommended to use a threat feed aggregator such as Soltra to dedup and normalize the feeds via Stix/Taxii. Metron provides an adapter that is able to read Soltra-produced Stix/Taxii feeds and stream them into Hbase, which is the data store of choice to back high speed threat intel lookups of Metron. Metron additionally provides a flat file and Stix bulk loader that can normalize, dedup, and bulk load or stream threat intel data into Hbase even without the use of a threat feed aggregator.
The following threat intel feeds and formats are supported by Metron's threat intel loader framework:
Threat Feed | Feed Indicators | Feed Format | Feed Description | Feed Link | Refresh Rate |
---|---|---|---|---|---|
Soltra | Multiple | Stix/Taxii | Threat Intel Feed Aggregator | https://soltra.com/ | Poll every 5 minutes |
Hail A Taxi | Multiple | Stix/Taxii | External Stix/Taxii Feed | http://hailataxii.com/ | Poll every 5 minutes |
...More to come |