Sequential vs Parallel: Use Case
CTIX offers you to choose the execution type of your policies. These types allow you to efficiently utilize the available system resources. You can choose any one of the following execution types:
Use Case
As an admin, your goal is to enrich 100 IP addresses coming from CrowdStrike using various enrichment tools and policies. Following are the tools and their respective properties for enriching the data:
AbuseIPDB:
Enrichment Type: Linear (enriches one object at a time)
Quota Utilization: One unit of quota per object enriched
Zscaler:
Enrichment Type: Bulk (enriches 100 objects simultaneously)
Quota Utilization: One unit of quota to enrich 100 objects
Censys:
Enrichment Type: Linear (enriches one object at a time)
Quota Utilization: One unit of quota per object enriched
Considering you have a combination of tools with linear and bulk enrichment capabilities, it's important to understand the working of both execution types:
Linear Enrichment: In this approach, each object is enriched individually using linear enrichment tools such as AbuseIPDB and Censys. The quota usage is calculated per object enriched, meaning one unit of quota is consumed per object.
Bulk Enrichment: With bulk execution, you can leverage the Zscaler tool to enrich 100 objects simultaneously. This reduces the number of API calls made and optimizes the quota utilization, as only one unit of quota is consumed to enrich 100 objects in a single API call.
By utilizing a combination of linear and bulk enrichment tools, you can efficiently enrich the required data and maximize the utilization of your available resources.
Sequential Execution Type
What is Sequential Execution Type and how does it work in CTIX?
The sequential execution type in CTIX prompts the platform to trigger enrichment tools one after another, following the order of their set preferences. If the higher preference tool provides malicious data or meets the required criteria, the platform will not proceed to run the policy on the lower preference tool. This ensures that the enrichment process is efficient and avoids unnecessary processing when the required information is obtained from a higher preference tool. The following are a few points to consider while choosing the sequential execution type for your policies:
Efficient use of limited quota by terminating enrichment policy execution at the first instance of malicious data.
If an enrichment tool runs out of quota, the next tool in the queue takes over the enrichment process.
Returns only one instance of malicious data, avoiding redundancy.
To achieve optimal results, it is recommended to prioritize your trusted tools with higher preference. By selecting trusted tools with higher priority, the platform can effectively utilize available resources and deliver the required results efficiently.
For example, set up AbuseIPDB, Alien Vault, and IPinfo with preferences as one, two, and three respectively to enrich IP addresses coming from an ISAC source. The platform triggers AbuseIPDB first to enrich the received IP addresses from the ISAC source and continues to look for malicious contexts one by one triggering each tool until a successful malicious context is found. If the platform finds this data, Alien Vault and IPinfo are not triggered. This helps you with the optimum utilization of the quota of your enrichment tools.
When you choose the sequential execution type with tools like AbuseIPDB, Zscaler, and Censys in their respective preferences, the platform follows a specific sequence:
AbuseIPDB is triggered first since it has the highest preference.
Successful attempt: If the platform finds the relevant and required malicious context about the object, it stops further enrichment for that IP address and moves on to the next IP address starting with AbuseIPDB again.
Unsuccessful attempt: If no relevant information is found, the platform triggers the next tool.
Zscaler is triggered next, utilizing bulk enrichment capabilities.
Successful attempt: If the platform finds the relevant and required data about the enriched objects, it stops further enrichment for those IP addresses.
Unsuccessful attempt: If no relevant information is found, the platform triggers the next tool.
Censys is triggered last, enriching one object at a time.
Successful attempt: If the platform finds the relevant and required data about the enriched object, it stops further enrichment for that IP address.
Unsuccessful attempt: If no relevant information is found, the platform stops further enrichment for the object. In such cases, it may be necessary to utilize a different tool or approach to obtain the required information.
The sequential execution type carefully manages quota utilization, conserving system resources. It triggers the next enrichment tool only if the previous tool fails to find the required information or if the quota of the first tool is exhausted.
However, it's important to note that the sequential execution type only returns one instance of the required information and does not search for further context. This may result in incomplete or outdated information in some cases.
Parallel Execution Type
What is Parallel Execution Type and how does it work in CTIX?
The parallel execution type in CTIX triggers all selected enrichment tools simultaneously. The platform executes the policy on all three tools concurrently until any instance of malicious context is detected. This approach allows for efficient processing of the data in parallel, maximizing the chances of identifying any malicious elements across multiple tools simultaneously. Following are a few points to consider while choosing the parallel execution type for your policies:
The parallel execution type in CTIX consumes a large amount of quota to fetch malicious context using multiple enrichment tools simultaneously.
It returns multiple results obtained from the multiple enrichment tools used.
This approach maximizes the chances of identifying malicious elements by leveraging multiple tools in parallel.
When you have access to medium confidence tools and excessive quota utilization is not a concern, choosing the parallel execution type is recommended. This approach allows for the simultaneous execution of multiple enrichment tools, providing a comprehensive analysis and maximizing the potential for accurate results.
For example, set up AbuseIPDB, Alien Vault, and IPinfo to trigger simultaneously to enrich IP addresses coming from the ISAC source. The platform continues to look for malicious context until all possible information is obtained. This helps you to fetch every piece of information related to the selected object. However, the amount of quota consumption is huge in this case.
When you choose the parallel execution type with tools like AbuseIPDB, Zscaler, and Censys, the platform triggers all the tools simultaneously. This enables the platform to enrich one object using AbuseIPDB and Censys, and all 100 objects using Zscaler's bulk enrichment in one operation.
Successful attempt: If the platform finds the relevant data for the objects, it stops further enrichment and moves on to the next object for additional enrichment with AbuseIPDB and Censys.
Unsuccessful attempt: If the platform does not find the required information for the objects, the enrichment process for that object is stopped as all selected tools have already been utilized. In such cases, an alternative tool may be necessary to obtain the required information.
The parallel execution type increases the chances of obtaining the desired information as it simultaneously utilizes all selected tools. It continues the enrichment process until all tools have exhausted their possible combinations to acquire the required data. Additionally, it provides multiple sets of information for an object since each tool may offer different insights.
However, it is important to note that the parallel execution type consumes a significant amount of quota and may result in higher costs for licensing purposes.