The input to this topology is the normalized Metron JSON produced by the Parser/Normalizing Topology. The output of this topology is written to a number of data stores supported by Metron. There are two streams: a message stream and an enrichment stream(s). The message stream carries the original message, while the enrichment stream tack on additional enrichments or pieces of threat intelligence to the message.
Bolt Name | Functionality | References |
---|---|---|
Enrichment Splitter | ||
Enrichment Bolt | ||
Enrichment Joiner Bolt | ||
Threat Intel Splitter Bolt | ||
Threat Intel Bolt | ||
Threat Intel Joiner Bolt | ||
Writer Bolt |