Apache Metron is an amalgamation and augmentation of several open-source ASF projects that provides a centralized management capability for security monitoring and analysis for the identification and disposition of any level of a cyberthreat.
Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment. Metron is a single platform that applies the most current threat-intelligence information to security telemetry.
Apache Metron offers the ability to capture, store, and normalize any type of security telemetry at extremely high rates. Real time processing and application of enrichments such as threat intelligence, geolocation, and Domain Name System (DNS) information to telemetry being collected are all possible with Apache Metron.
Metron uses efficient information storage based on how the information will be used. It provides logs and telemetry that is stored for efficient mining and analysis for concise security visibility. This ability to extract and reconstruct full packets helps an analyst answer questions such as the identity of the true attacker, what data was leaked, where that data was sent. Metron’s long-term storage increases visibility over time and enables advanced analytics. Machine learning techniques can be used to create models on the information. Incoming data can be scored against these stored models for advanced anomaly detection.
Perhaps the most innovative capability of Metron is its centralized view of data and alerts passed through the system. Metron’s interface presents alert summaries with threat intelligence and enrichment data specific to that alert on one single page. Advanced search capabilities and full packet extraction tools are presented to the analyst for investigation without the need to pivot into additional tools.
This five day course will provide a comprehensive introduction to the capabilities of Metron. The student will begin with installing Metron. After learning Metron’s domain specific languages (DSL), the Stellar Query and the Stellar Transformation Language, the student will create security telemetries, create enrichments, work with pluggable threat intelligence and understand the process of threat triage. The course will conclude with the student doing
An experiential or academic understanding of the need for centralizing the use and monitoring of capabilities provided by the tools of Cybersecurity such as pcap, netflow, bro, snort, fireye, and Sourcefire. The student should understand how software services can combine security information management (SIM) and security event management (SEM). The student should have an understanding of services that provide real-time analysis of security alerts generated by applications and network hardware-based operating system and command line scripts.
Individuals who want to understand the capabilities of Metron.
Day 1: Metron Installation, Overview, Architecture
Day 2: Creating a New Telemetry
Day 3: Creating a New Enrichment and Pluggable Threat Intelligence
Day 4: Threat Triage
Day 5: Streaming Enrichment and Dashboarding with Kibana