Skip to main content

Cyware Threat Intelligence eXchange

Enrichment Policy Best Practices

Consider the following best practices while configuring an enrichment policy:

  • Configure enrichment tools with a quota to better utilize the tool for an enrichment policy. Quota allows you to define the amount of data you receive in a specified time range. Defining a quota for an enrichment tool allows you to optimize costs.

  • Consider configuring and using the community licenses for enrichment tools to optimize the costs.

    For example, Abuse IPDB, Alien Vault, Hybrid Analysis, RiskIQ, Virus Total, and more.

  • Configure the following enrichment tools based on their supported object types:

    Enrichment Tool

    IP

    Domain

    URL

    Hash

    Abuse IPDB

    Yes

    -

    -

    -

    Alexa Ranking

    -

    Yes

    Yes

    -

    Alien Vault

    Yes

    Yes

    Yes

    Yes

    Blue Coat

    -

    Yes

    -

    -

    Cisco Umbrella

    Yes

    Yes

    Yes

    -

    Hybrid Analysis

    -

    -

    -

    Yes

    Comodo Cybersecurity

    Yes

    Yes

    Yes

    Yes

    Farsight Security

    Yes

    Yes

    -

    -

    Google Safe Browsing

    -

    Yes

    Yes

    -

    Have I Been Pawned

    -

    Yes

    -

    -

    IBM X-Force

    Yes

    Yes

    -

    Yes

    Kaspersky

    -

    -

    Yes

    Yes

    MaxMind

    Yes

    -

    -

    -

    MxToolBox

    Yes

    Yes

    -

    -

    PhishTank

    -

    -

    Yes

    -

    PolySwarm

    -

    -

    -

    Yes

    Recorded Future

    Yes

    Yes

    Yes

    Yes

    RiskIQ

    Yes

    Yes

    Yes

    -

    Shodan

    Yes

    Yes

    -

    -

    SlashNext

    Yes

    Yes

    Yes

    -

    Virus Total

    Yes

    Yes

    Yes

    Yes

    VMRay

    -

    -

    -

    Yes

    Web of Trust

    -

    Yes

    -

    -

    iana

    Yes

    Yes

    -

    -

    Zscaler

    -

    Yes

    Yes

    Yes

  • Use Sequential run type approach to efficiently utilize the quota.

    • Allows CTIX to trigger enrichment tools one after the other based on their set preferences. If the higher preference tool provides the malicious data, then the application does not run the policy on the lower preference tool.

    • Offers efficient use of limited quota by terminating the execution of the enrichment policy at the first instance of malicious data.

    • If an enrichment tool runs out of quota then the next enrichment tool in queue enriches the threat data.

    • Returns only one instance of malicious data.

  • Use the Parallel run type approach to obtain multiple investigated details or opinions.

    • Allows CTIX to trigger all enrichment tools at the same time. It uses the available quota to fetch malicious data through multiple enrichment tools.

    • Returns detailed investigations and opinions through multiple enrichment tools.

    • Consumes a large amount of quota.

  • Define a priority for your enrichment policy so that when your system runs low on resources, it can pick policies based on their set priorities.

  • Enrich only the sources you are unsure about, as enriching everything may consume large amounts of quota and system resources.

    For example, An OSINT source may give you large amounts of data. If you want to enrich all this data, you may end up using a large amount of quota.

  • Apply conditions to further filter the data and enrich only useful data.

    For example, run the policy only if the confidence score is more than 70% or if the TLP is greater than AMBER.