Enrichment Management
These are the statuses that you can see on the Investigations tab for enrichment tools in the Threat Data module.
Never Tried (Grey) - The enrichment tool was never called to enrich the indicator.
Tried and Failed (Red) - The enrichment tool was called to enrich the indicator and it was not successful.
Ran successfully (Green) - The enrichment tool was successful in enriching the indicator.
Quota over (Orange) - The enrichment tool’s defined quota limit is completed and hence it couldn't be called to enrich the indicator.
Use a Sequential approach when you want to use the enrichment tools one after the other only if the first one does not give any results. In this way, the quota of two tools is not used up at the same time.
Use the Parallel approach when you have enough quota on two or more enrichment tools and you want to get diversified investigated details or opinions to take further action.
Set a priority for the enrichment policies so that when the system is out of resources, it will pick the policy with the highest priority first.
Configure the enrichment policy so that
You don't have to manually enrich an indicator every time.
They help in better scoring of the indicators on their maliciousness.
You can provide specific conditions such as, run the policy only when the confidence score is 80%, or when the TLP is greater than AMBER.
Configure the quota for your enrichment tools, so that the system will make better utilization of the tool in the enrichment policy and will not run out of quota. You can also set up alerts notifying you when the tool is approaching its quota limit.