Apache Metron Overview
Apache Metron consists of 4 key capabilities:
Security Data Lake for a cost effective way to store and combine a wide range of business data with security data… enriched telemetry and PCAP data for long periods of time. This data lake provides the corpus of data required that powers discovery analytics and provides a mechanism to search and query for operational analytics.
Pluggable Framework provides a rich set of parsers for common security data sources (pcap, netflow, bro, snort, fireye, sourcefire) but also provides a pluggable framework to add new custom parsers for new data sources, add new enrichment services to provide more contextual info to the raw streaming data, pluggable extensions for threat intel feeds, and the ability to customize the security dashboards. Machine learning, and other models can also be plugged into the real-time streams providing huge extensibility. For example, can easily extend to add custom functionality to transform data with built-in scripting and user-defined functions.
Threat Detection Platform based on machine learning algorithms and anomaly detection that can be applied in real-time as events are streaming in.
Incident Response Application is an evolution of SIEM capabilities (alerting, threat intel framework, agents to ingest data sources) inclusive of packet replay utilities, evidence store and hunting services commonly used by SOC analysts.