Best Practices for Enrichment Management
Following are some best practices to consider for Enrichment Management:
Define quota for optimum utilization of enrichment tools for the enrichment policy. Defining the quota allows the platform to utilize the available quota to prioritize to enrich IOCs judiciously.
Prefer using community licenses for enrichment tools to optimize costs. For example, Abuse IPDB, Alien Vault, Hybrid Analysis, RiskIQ, Virus Total, and more offer free licenses to provide enrichment functionalities.
Configure enrichment tools based on their supported object types for obtaining the relevant context for data. For example, to enrich IP and domain, you can choose IANA Whois or MX Toolbox enrichment tools.
For more information about enrichment tools and their supported object types, see Enrichment Tool Quota Details.
Use the sequential run type approach for your enrichment policy to limit the quota usage of your enrichment tools. This approach offers efficient use of limited quota by terminating the execution of the enrichment policy at the first instance of the required context.
Use the parallel run type approach for your enrichment policy when you have a surplus quota and want multiple tools to enrich data at the same time. This approach offers detailed investigations using multiple tools.
Set a priority for your enrichment policy. Setting a priority gives precedence to the selected policy when your system runs low on resources. For example, you defined two policies, one with priority and another without priority. When the platform has a limited amount of quota left for the day, it will give precedence to the policy defined with a priority to enrich data. For more information, see Configure Enrichment Policy.
Enrich data only from the sources that offer relevant context per your requirements, as enriching everything may consume large amounts of quota and system resources. For example, An open-source intelligence (OSINT) source may give you large amounts of data. If you want to enrich all this data, you may end up using a large amount of quota.
Add conditions to the policies to further filter the data and enrich only useful data. For example, run the policy only if the confidence score is more than 70% or if the TLP is greater than AMBER.
