Bulk Enrichment
Notice
This feature is available in CTIX v3.4.1 and later versions.
Administrators can automatically enrich multiple threat data objects simultaneously using the Enrichment Policies. This ensures minimal quota consumption, thereby reducing rate-limit-induced errors.
Following are a few points to consider for bulk enrichment:
Each enrichment tool has specific tool-defined rate limits. For example, Zscaler has a rate limit of making five API calls in a minute, whereas CrowdStrike has a rate limit of making three API calls in a minute.
Each tool has its specific limit for bulk enriching threat data objects, and CTIX does not have control over these limits. For example, one tool can enrich up to 100 IOCs at once, whereas another tool can enrich up to 50 IOCs at once.
Bulk enrichment is not supported with manual enrichment of threat data objects.
Note
Currently, the integration between Zscaler and CTIX supports bulk enrichment capabilities, enhancing the efficiency of threat data processing. For more information, see Zscaler.
For example, when you manually enrich 100 IOCs individually using Threat Data, Zscaler can take up to 100 API calls and consume a maximum of 100 units of quota. Whereas, with the bulk enrichment capability, the platform triggers the enrichment policy configured with Zscaler to enrich 100 IOCs, it bulk enriches the objects with one API call and one unit of quota consumption.