Security incident observable enrichment

When certain third-party integrations are set up, the observables information in a security incident can be automatically enriched with threat information. This happens whenever the Source IP for an observable is modified.

When a modification occurs, a business rule initiates a workflow that retrieves data from threat logs and enriches the observables information in the security incident.

Before observables can be enriched, the following steps must be performed.
  • Threat Intelligence must be activated.
  • Each third-party integration must be activated and configured.
Note: The third-party integration process may require that a MID server is activated and configured.

After that setup has been completed, the act of changing the Source IP of observables associated with a security incident causes a business rule to execute a workflow. Workflow activities queue up a search query on the third-party product which returns pertinent information that is then attached to the security incident.