Comodo
Configure Comodo as an enrichment tool so that you can enrich IPs, hashes, domains, and URLs present in the CTIX application with enrichment feeds provided by Comodo. CTIX uses this information to enrich the indicators by removing false positives, adding contextual information, and assigning a confidence score.
Configure Comodo App in CTIX
Before you Start
You must have the base URL and API key for the Comodo account.
You must have the view, update, and create enrichment tools and policies permissions.
Steps
Use the following steps to configure Comodo:
From Administration, open Enrichment Management and select Enrichment Tools.
Use the search bar to locate Comodo and click on the app.
Click Add Account.
Enter the Instance name, Base URL, and API Key.
Note
Use https://verdict.valkyrie.comodo.com/api/v1/ as the base URL.
To secure the connection between CTIX and Comodo server, select Verify SSL.
Click Save.
Configure Quota for Comodo Feeds
Quota defines the number of hits or calls that you can make to the Comodo account. It fetches information that enhances your intel for a defined time period. The pending data after the defined quota expires is discarded from the enrichment queue.
Steps
From Administration, select Enrichment Management, and click Enrichment Tools.
Select Comodo.
On the top right corner, click the ellipsis, and select Manage.
Click Edit.
On the Edit Account page, select the Quota tab.
Choose the quota duration and enter the quota rate for that duration.
Enter a start date and time for the quota duration.
Select Usage alert to receive email alert notifications when you are approaching your quota limits for Comodo.
Select the email addresses in Internal Recipients. These email recipients will receive email notifications on quota limits.
Click Update.
Configure an Enrichment Policy for Comodo
Define the enrichment tools to use the IOCs to enrich, specify the run type for enrichment, and apply conditions if required.
Steps
Navigate to Administration and select Enrichment Management.
Select Enrichment Policy and click Add Policy.
Enter a name for your policy and set a priority.
Setting a priority for a policy qualifies the object for enrichment from more than one policy. When the system runs low on resources the priority set here is considered to pick the higher priority policy and perform enrichment.
Choose an object from Select Object Type.
Select from the following run types:
Sequential: The selected enrichment tools are called one after another in the order of set preference. You can add up to three enrichment tools with preferences. For example, if you set up tool1, tool2, and tool 3 as your preference. The system makes a call to tool1 to check for any enrichment data for this IOC. If it finds this data, tool 2 and tool 3 are not called. After the first successful result, other enrichment tools are not called to enrich the selected IOC. This can help you conserve the quota of your enrichment tools.
Note
In case an enrichment tool runs out of quota, then the next enrichment tool in line will be used for enrichment.
Parallel: All the enrichment tools are called to enhance your data.
Select Comodo as the enrichment tool. You can add multiple tools and set a preference for them.
Click Next Step.
Specify the sources to apply enrichment.
Under Intel, choose specific sources and their respective collections to apply enrichment. You can also choose all collections under Intel.
Under Inbox, choose collections to apply enrichment.
Click Next Step.
Select Yes to apply any conditions.
You can apply specific conditions like domain names, IP, TLP, title, source confidence, or description. You can build your conditions using AND or OR operators.
Click Save Policy.