Configure Enrichment Policy
Define enrichment policies for the configured enrichment tools to automatically enrich the threat data objects in the platform. You can specify the following while defining a policy:
Execution type (sequential or parallel)
Sources and collections from which you want to enrich data
Conditions to filter relevant data coming from the selected sources and collections
Priority for the policy
Before you Start
Ensure that have View enrichment tools & policies, Create enrichment tools & policies, and Update enrichment tools & policies permissions.
Steps
Navigate to Administration > Enrichment Management, and select Enrichment Policy.
Click Add Policy.
Enter a unique name for your policy. For example, Enrich_ISAC_IOCs.
Set a priority for your policy. Defining a priority qualifies the object to take precedence over other policies with a lower priority. Additionally, this allows the platform to prioritize the higher precedence policy to pick up in case the system is running low on resources.
You can set a priority between one to four for your policy.
Choose an object to enrich from Select Object Type. You can choose from IP, hash, vulnerability, domain, and URL.
Select from the following run types:
Sequential: Allows you to select enrichment tools based on your confidence in them and assign them the respective preference. Higher preference represents higher confidence, whereas the lowest preference represents the least confidence. The platform prompts to trigger the selected tools one by one based on their set preferences.
Parallel: Allows you to select enrichment tools to trigger simultaneously to enrich the selected object. All selected tools hold the same preference and look for malicious context related to the selected object.
Select up to three enrichment tools to run the policy. You can set preferences as per your confidence for the tools if you choose sequential as the run type.
Note
You can only use the configured and active state enrichment tools.
Click Next Step.
Specify the sources to fetch data to apply enrichment.
Under Intel, choose specific sources and their respective collections to apply enrichment. You can also choose all collections under Intel.
Under Inbox, choose CTIX-defined STIX collections to apply enrichment.
Click Next Step.
Select Yes to apply any conditions.
You can apply specific conditions like domain names, IP, TLP, title, source confidence, or description to filter the data to optimize quota utilization and enrich only the relevant data. You can build your conditions using AND or OR operators.
Click Save Policy.
After you define a policy, you can check for the enriched data in Threat Data using filters, such as Enriched Status and Enrichment Tools.