Configure Enrichment Tools
You must first configure an instance for your preferred tool to enrich threat data objects in the platform. Activate the preferred tool by adding an account with the required credentials, and then define a quota for the tool.
Before you Start
Ensure that you have View enrichment tools & policies, Create enrichment tools & policies, and Update enrichment tools & policies permissions.
Add an Account
Add an account instance to establish a connection between CTIX and the preferred enrichment tool. You can add multiple accounts for your enrichment tools. The first account that you add is a default account.
Before you Start
Ensure that you have the authentication resources and credentials to integrate the enrichment tool.
Steps
Navigate to Administration > Enrichment Management, and select Enrichment Tools.
Select an enrichment tool to add an account instance.
The platform automatically opens the Add Account form and prompts you to enter the required information to establish a connection between the servers.
If you are adding an account for an already enabled tool, use the ellipsis on the top right corner and click Manage.
Enter a unique name to identify the account instance. For example, Zscaler_Prod.
Enter the required credentials. Each enrichment tool requires a set of authentication credentials to configure them. For more information, see Integrationsfor specific enrichment tool documentation.
Select Verify SSL to verify and secure the connection between the CTIX and enrichment tool servers.
If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a failed connection. It is recommended to select this option.
Click Save.
Next Step: After you add an account instance, the platform prompts you to define the quota for the tool account. To define quota, see Step 5 in the following procedure.
Define Quota
Quota defines the maximum number of requests made to the specific enrichment tool in a defined time period to fetch relevant details to enhance intel. By setting quotas, organizations can efficiently utilize their enrichment tools while managing the available resources effectively.
Each enrichment tool has its own tool quota based on the credentials you use to add an account instance. However, you can configure the platform quota for the tool to limit the maximum number of API requests that CTIX can make to the tool for a specific duration.
Note
Ensure that the CTIX-specific quota is less than or equal to the maximum allowed API requests based on the tool's credentials.
You can configure quota details for your enrichment tools while adding or editing an enrichment tool account. If you don't define the platform quota for a tool, CTIX sets it to a default value of enriching one unit per day.
When the platform quota is exceeded and you persist in attempting to enrich objects, the platform returns a status code of 429, indicating that the defined platform quota for the tool has been exhausted. Once the quota expires, any pending intel is discarded for the left time period, and you can no longer enrich it. The quota resets after the defined period and the platform receives a fresh set of defined quotas.
Steps
Perform the following procedure to define the platform quota for the tool when you have closed the Add Account form:
Navigate to Administration > Enrichment Management, and select Enrichment Tools.
Select an enabled enrichment tool.
On the top right corner, click the ellipsis and select Manage.
Click Edit and select Quota.
Set the duration and enter the rate at which the quota refreshes in the system. You can choose from minute, hourly, daily, weekly, or monthly. By default, the platform supports daily.
For example, for the system to refresh the quota twice a week, you can set the duration as weekly and specify the rate as 2.
Set a start date and time to first start utilizing the quota to enrich threat data objects.
For example, for the system to first fetch the quota, you can set the start date and time as Nov 23 2022 07:00 PM.
Select Usage Alert to receive email alert notifications when you are approaching your quota limits for this enrichment tool.
Enter the email addresses in Internal Recipients. These recipients receive email notifications when the system is at 75% of the quota threshold and after the system has reached the quota threshold.
Click Update.
After you define the quota for the tool, enable the feed enrichment channels to enrich the preferred IOC types using the tool. By default, the platform has a default quota set for all tools
Next Step: You can now create an enrichment policy to automatically enrich threat data objects from selected sources and collections. For more information, see Configure Enrichment Policy.