Enrich Threat Data Objects
You can use third-party enrichment tools to enrich threat data objects and retrieve additional context, metadata, or analysis that provide a more comprehensive understanding of potential threats. Threat data enrichment involves various techniques such as adding geolocation data, correlating with known indicators of compromise (IOCs), incorporating information about attacker tactics and techniques, or integrating data from multiple sources to provide a holistic view of the threat landscape. Enriching threat data also helps you to better identify, prioritize, and respond to security threats. For more information about enrichment tools, see Enrichment Tools.
You can enrich the following threat data objects:
Indicators of Compromise (IOCs)
Vulnerabilities
Before you Start
Ensure the enrichment tools are configured in Administration > Enrichment Management.
Ensure that you have View and Update Threat Data permission.
Steps
To enrich a threat data object, follow these steps:
Go to Main Menu > Collection > Threat Data and select a threat data object that you want to enrich.
Go to Enrichment tab. You can view the list of configured enrichment tools that support enriching the selected threat data object in Enrichment Details.
Select the enrichment tool and click Enrich.
You can view the enrichment details based on the selected enrichment tool in Enrichment Payload. Additionally, you can see the inferred verdict about the threat object in Key Stats, determining whether the enriched threat data object is malicious or non-malicious. You can also click Re-Enrich to enrich again.
Post Enrichment Details
After enrichment, you can view the results and insights generated by the enrichment tools:
Enrichment Tool Status: View the enrichment status of third-party enrichment tools, such as Enriched, Tried and Failed, or Quota Completed. For more information on enrichment quota, see Enrichment Policy.
Sources Reported Malicious: View the enrichment tools that reported the threat data object as malicious.
Tool Stats: View the statistics of inferred verdicts, such as Malicious, Suspicious, Non Malicious, Unknown, and Not Applicable (NA), as reported by the enrichment tools.
Enrichment Details: View the complete details of the enrichment performed. You can view and perform the following:
View the enrichment tools used to enrich. Select an enrichment tool to view the Key Stats, which provides an overview of the enrichment details. You can filter the enrichment details based on the enrichment tool status. You can also sort the enrichment details in ascending or descending order.
View the Enrichment Payload provided by the enrichment tool. You can also select to view the same in JSON format. Click Re-enrich to enrich the payload again.
Turn on the Hide Empty Values toggle to hide empty values and view only the payload.
Enrichment Verdicts: Each enrichment tool provides a verdict that reflects the risk level of the threat data object. Common verdicts include Malicious, Suspicious, Non Malicious, Unknown, and Not Applicable (NA). For vulnerabilities, enrichment verdicts are represented by Critical, High, Medium, Low, Unrated, and Not Applicable severity levels.
Notice
New enrichment verdicts, including Suspicious and Unknown, and distinct severity levels for vulnerabilities are available in Intel Exchange v3.7.5.3 onwards.