Configure-threat

12 min

configure threat intelligence enrichment integration hreat intelligence enrichment gathers reputation information from observables, such as ip addresses, domains, urls, hashes, email addresses, and so on from one or more enrichment providers using enrichment components results are aggregated in threat intelligence records, and displayed in case and incident management records as well every observable type has a , which is the canonical source of truth for reputation verdict, permalinks, and so on for that observable type prerequisites before configuring threat intelligence enrichment ensure you have access to the soc solutions bundle playbooks have enrichment provider credentials and assets configured understand which observables you want to enrich (ips, domains, urls, hashes, etc ) configuration steps step 1 navigate to components navigate to orchestration in the swimlane platform click on components locate and open the soc enrich observables component (or soc enrich observable depending on your version) step 2 configure enrichment sources the component uses a parallel node to run multiple enrichment sources simultaneously you need to configure which enrichment sources to use 2 1 remove unused enrichment sources open the soc enrich observables component navigate to the parallel node in the component workflow review the existing enrichment sources listed under the parallel node remove any enrichment sources you are not using click on the enrichment source component delete or remove it from the parallel node this helps reduce unnecessary api calls and improves performance 2 2 add new enrichment sources click edit on the parallel node (or add a new component to the parallel node) from the components menu, select the enrichment source component you want to add (e g , virustotal, recorded future, urlhaus, etc ) for each new enrichment source component you add click edit on the enrichment source component navigate to the inputs configuration map inputs observable as a playbook property in the input mapping, select "playbook property" navigate to or search for inputs observable this ensures the observable data flows from the playbook into the enrichment component configure any other required inputs (api keys, authentication, etc ) using the component's asset configuration note the inputs observable property contains the observable object that needs to be enriched it typically includes observable type the type of observable (e g , "ip", "domain", "url", "hash") observable value the actual value to enrich (e g , "192 168 1 1", "example com") observable metadata any additional metadata about the observable step 3 configure aggregate enrichments action after removing or adding new enrichment sources, you must update the aggregate enrichments action to reflect your changes locate the aggregate enrichments action in the component workflow (typically after the parallel node) click edit on the aggregate enrichments action review the existing append actions each enrichment source component should have its enrichments property mapped to an append action the append actions combine enrichment results from all sources into a single aggregated result for each enrichment source you added add a new append action map the enrichment source component's enrichments output property to the append action ensure the target is the aggregated enrichments object (not $deleted ) for each enrichment source you removed remove any append actions whose target is $deleted remove append actions that reference deleted enrichment sources important any append action whose target is $deleted must be removed to prevent errors example aggregate enrichments configuration if you have three enrichment sources (virustotal, recorded future, urlhaus), your aggregate enrichments action should have three append actions append virustotal enrichments → aggregated enrichments append recorded future enrichments → aggregated enrichments append urlhaus enrichments → aggregated enrichments step 4 configure enrichment assets ensure that your enrichment provider assets are properly configured navigate to orchestration → assets for each enrichment provider you're using locate or create the asset for that provider configure authentication credentials (api keys, tokens, etc ) set up any required connection parameters test the asset connection to ensure it's working correctly verify that the asset names match what's configured in your enrichment source components common enrichment providers virustotal recorded future urlhaus abuseipdb shodan and others based on your subscription verification after configuration, verify your setup test the component run a test playbook execution with a sample observable verify that enrichments are being retrieved from all configured sources check that the aggregate enrichments action is combining results correctly check output verify that enrichment results appear in threat intelligence records confirm that enrichments are displayed in case and incident management records ensure the primary intelligence provider (pip) is correctly identified monitor performance check execution times to ensure parallel enrichment is working efficiently monitor api rate limits if applicable review error logs for any failed enrichment requests troubleshooting issue enrichments not appearing possible causes enrichment assets are not properly configured api credentials are invalid or expired enrichment source components are not receiving observable input solutions verify asset configuration and test connections check api credentials and renew if necessary verify that inputs observable is correctly mapped in enrichment source components issue aggregate enrichments errors possible causes append actions reference deleted enrichment sources append actions have $deleted as target missing append actions for new enrichment sources solutions remove any append actions with $deleted targets add append actions for all active enrichment sources verify that each enrichment source's enrichments output is mapped correctly issue performance issues possible causes too many enrichment sources running in parallel api rate limiting from enrichment providers network latency issues solutions consider reducing the number of enrichment sources implement rate limiting or caching check network connectivity to enrichment providers best practices selective enrichment only use enrichment sources that provide value for your specific observable types asset management keep enrichment provider assets up to date with valid credentials error handling configure proper error handling for failed enrichment requests performance monitor and optimize the number of parallel enrichment sources cost management be aware of api usage limits and costs for enrichment providers related documentation