Does anybody has an idea how to check in the most easiest way, if an entity was already enriched e.g. by VirusTotal? The goal is to trigger the enrichment only if it wasn't enriched before. Also, the IsEnriched flag is no option, as it's set when any enrichment action took place before.
My current struggle is the following:
If both are in the same case/alert I don't find an easy way so that Entity A will only get the additional enrichment by VT and Entity B will have the enrichment by urlscan.
Any ideas are appreciated
If an entity was already enriched by VirusTotal
+5
+13
This comment was originally sent by Tom Fridman
@Michael_Schepp
when we enrich an entity, we add prefixes to the attributes we have added to this entity. So for example, you can see in the picture here, that i have enriched an entity with VirusTotal, and because of that, i now have attributes with VT3 prefix there.
View files in slack
+13
This comment was originally sent by Tom Fridman
All of the prefixes can be found in our platform, so basically, if a user can go over the entity's attributes, and search for the prefix - it can indicate whether this specific entity was enriched by a specific tool or not
+1Second on the prefix solution. We have internal enrichments and we enrich our entities with OurOrganizationname_
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.