Automated IOC Enrichment

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Learn how to automate enrichment of IOC’s using flows when they match a certain criterion.

    Before you begin

    Role required:
    • System Administrator (view, create or edit)
    • sn_sec_tisc.admin (view)

    About this task

    Automate enrichment of IOC’s triggers only when:
    • the type of the observable is a domain name, IPv4 address, or IPv6 address.
    • the observable is in a processed state.
    • the observable does not have the tags enriched or Skip Enrichment.

    Procedure

    1. Navigate to All > Threat Intelligence Security Center > Administration.
    2. Select Automated Flows.
    3. Select Automated IOC Enrichment action link to view the respective rule details in the flow designer.
    4. View the flow designer action for the following trigger: 
      Observable Updated where (Type is Domain Name, or Type is IP address (V4), or Type is IP address (V6); and Processing Status is Processed; and TISC Tags does not contain Enriched, or TISC Tags does not contain Skip Enrichment, or TISC Tags does not contain Potential New Threat)
    5. If the observable is an IPv4 or IPv6 address and it falls within an allowed CIDR range, then:
      1. Add the observable to Allow List.
      2. Update the observables tags to Skip Enrichment.
      3. End the flow for this observable.
    6. Else, enrich the observable data with available capabilities:
      1. Perform threat lookup and sighting search to gather additional information about the observable.
      2. Update the observable with enriched data.
      3. Add a tag Enriched to indicate that the IOC has been processed.
    7. Also, if the observables reputation is clean, then:
      1. Mark observable as false positive and inactivate.
    8. Else, if observable reputation is unknown
      1. Add tag Not Potential Threat & Enriched to indicate that it is not a threat.
      Automated IOC Enrichment in TISC.