Enrichment Policy Best Practices
Consider the following best practices while configuring an enrichment policy:
Configure enrichment tools with a quota to better utilize the tool for an enrichment policy. Quota allows you to define the amount of data you receive in a specified time range. Defining a quota for an enrichment tool allows you to optimize costs.
Consider configuring and using the community licenses for enrichment tools to optimize the costs.
For example, Abuse IPDB, Alien Vault, Hybrid Analysis, RiskIQ, Virus Total, and more.
Configure the following enrichment tools based on their supported object types:
Enrichment Tool
IP
Domain
URL
Hash
Abuse IPDB
Yes
-
-
-
Alexa Ranking
-
Yes
Yes
-
Alien Vault
Yes
Yes
Yes
Yes
Blue Coat
-
Yes
-
-
Cisco Umbrella
Yes
Yes
Yes
-
Hybrid Analysis
-
-
-
Yes
Comodo Cybersecurity
Yes
Yes
Yes
Yes
Farsight Security
Yes
Yes
-
-
Google Safe Browsing
-
Yes
Yes
-
Have I Been Pawned
-
Yes
-
-
IBM X-Force
Yes
Yes
-
Yes
Kaspersky
-
-
Yes
Yes
MaxMind
Yes
-
-
-
MxToolBox
Yes
Yes
-
-
PhishTank
-
-
Yes
-
PolySwarm
-
-
-
Yes
Recorded Future
Yes
Yes
Yes
Yes
RiskIQ
Yes
Yes
Yes
-
Shodan
Yes
Yes
-
-
SlashNext
Yes
Yes
Yes
-
Virus Total
Yes
Yes
Yes
Yes
VMRay
-
-
-
Yes
Web of Trust
-
Yes
-
-
iana
Yes
Yes
-
-
Zscaler
-
Yes
Yes
Yes
Use Sequential run type approach to efficiently utilize the quota.
Allows CTIX to trigger enrichment tools one after the other based on their set preferences. If the higher preference tool provides the malicious data, then the application does not run the policy on the lower preference tool.
Offers efficient use of limited quota by terminating the execution of the enrichment policy at the first instance of malicious data.
If an enrichment tool runs out of quota then the next enrichment tool in queue enriches the threat data.
Returns only one instance of malicious data.
Use the Parallel run type approach to obtain multiple investigated details or opinions.
Allows CTIX to trigger all enrichment tools at the same time. It uses the available quota to fetch malicious data through multiple enrichment tools.
Returns detailed investigations and opinions through multiple enrichment tools.
Consumes a large amount of quota.
Define a priority for your enrichment policy so that when your system runs low on resources, it can pick policies based on their set priorities.
Enrich only the sources you are unsure about, as enriching everything may consume large amounts of quota and system resources.
For example, An OSINT source may give you large amounts of data. If you want to enrich all this data, you may end up using a large amount of quota.
Apply conditions to further filter the data and enrich only useful data.
For example, run the policy only if the confidence score is more than 70% or if the TLP is greater than AMBER.