metron简介

一、简介：

Metron是一种多功能的安全遥测数据捕获、流分析和威胁响应平台，前身为Cisco公司的开源大数据系统安全框架项目OpenSOC。Metron提供的功能包括：日志的聚合、对网络包全面捕获的索引和存储、高级行为分析及数据浓缩，并可以将当前的威胁情报信息应用到安全遥测中。从概念上可划分为四个组件：数据捕获与摄取、实时数据处理、受保证的数据持久化和存储、用于驱动监控和风险报警服务的机器学习模型。

二、逻辑组件：

三、逻辑架构：

1. Telemetry Event Buffer：遥感事件接收缓存，将传感器的数据存放到kafka消息队列中。（官方解释：All raw events from each telemetry security data source captured by Apache Nifi or custom Metron probe will be pushed into its own Kafka topic. The arrival of a telemetry event into the ingest buffer marks the start of where the Metron processing begins.）
2. Process ：将传感器数据标准化处理，便于后续模块处理。（官方解释：Each raw event will be parsed and normalized into a standardized flat JSON structure. Every event will be standardized into at least a 7-tuple JSON structure. This is done so the topology correlation engine further downstream can correlate messages from different topologies by these fields. The standard field names are as follows:ip_src_addr: layer 3 source IP、ip_dst_addr: layer 3 dest IP、ip_src_port: layer 4 source port、ip_dst_port: layer 4 dest port、protocol: layer 4 protocol、timestamp (epoch)、original_string: A human friendly string representation of the message）。
3. Enrich：丰富标注化的数据，比如由IP地址可以得知地域信息（城市）。（官方解释：Once the raw security telemetry event has been parsed and normalized, the next step is to enrich different data elements of the normalized event. Examples of enrichment are GEO where an external IP address is enriched with GeoIP information (lat/long coordinates + City/State/Country) or HOST enrichment where an IP gets enriched with Host details (e.g: IP corresponds to Host X which is part of a web server farm for an e-commerce application.）
4. Label：给丰富后的数据做标签，比如标记其是否是威胁，是何种威胁。（官方解释：After enrichment, the telemetry event goes through the labeling process. Actions done within this phase include threat intel cross reference checks where elements within the telemetry event can be used to do look ups against threat intel feed data sources like Soltra produced Stix/Taxii feeds or other threat intel aggregator services. These threat intel services will then “label” the telemetry event with threat intel metadata when a hit occurs.Other types of services include executing/scoring analytical models using model as a service pattern with the telemetry events that are flowing in.)
5. Alert and Persist：某些遥感数据可能引发告警，metron将此数据持久化并建立索引，为方便后续处理。（官方解释：During this phase, certain telemetry events can initiate alerts. These types of telemetry events are then indexed in an alert index store. A telemetry event can spawn an alert triggered by a number of factors including:1)The event type - The raw telemetry event itself is an alert. For example, any event generated by Snort is an alert so it will automatically be indexed as an alert.2)Threat intel hit - If raw telemetry event has a threat intel hit, it will be marked as an alert.Also during this step, all enriched and labeled telemetry events are indexed and persisted in Hadoop for long term storage. The storage of these events in Hadoop produces a security data vault within the enterprise that enables next generation analytics to be performed.)
6. UI Portal and Data & Integration Services：数据、威胁可视化处理。