Hi Team,
We have successfully integrated several supported Threat Intelligence (TI) platforms. However, we need guidance on properly configuring these integrations within our Security Orchestration, Automation, and Response (SOAR) system to ensure their visibility and functionality.
Could anyone provide detailed information on how to achieve this? Additionally, if there are specific configurations required within the SOAR system, please outline the necessary steps.
Thanks,
Neha.H
Best answer by kirk2
TI and SOAR setup depends on your specific tools. Check your SOAR guide for connecting different platforms, like TI ones. Read your TI platform guide to find out how it connects to other systems. Decide what information you want to move from TI to SOAR (threat indicators, etc.)Make sure the TI data fits the format your SOAR system uses. Use the guides to configure the connection with your TI platforms in SOAR. This might involve passwords, data format settings, and update schedules. Test to ensure the data flows smoothly between TI and SOAR and everything works as planned.
+1TI and SOAR setup depends on your specific tools. Check your SOAR guide for connecting different platforms, like TI ones. Read your TI platform guide to find out how it connects to other systems. Decide what information you want to move from TI to SOAR (threat indicators, etc.)Make sure the TI data fits the format your SOAR system uses. Use the guides to configure the connection with your TI platforms in SOAR. This might involve passwords, data format settings, and update schedules. Test to ensure the data flows smoothly between TI and SOAR and everything works as planned.
TI and SOAR setup depends on your specific tools. Check your SOAR guide for connecting different platforms, like TI ones. Read your TI platform guide to find out how it connects to other systems. Decide what information you want to move from TI to SOAR (threat indicators, etc.)Make sure the TI data fits the format your SOAR system uses. Use the guides to configure the connection with your TI platforms in SOAR. This might involve passwords, data format settings, and update schedules. Test to ensure the data flows smoothly between TI and SOAR and everything works as planned.
Hi @kirk2 ,
Thank you for the useful information.
Thanks,
Neha.H
TI and SOAR setup depends on your specific tools. Check your SOAR guide for connecting different platforms, like TI ones. Read your TI platform guide to find out how it connects to other systems. Decide what information you want to move from TI to SOAR (threat indicators, etc.)Make sure the TI data fits the format your SOAR system uses. Use the guides to configure the connection with your TI platforms in SOAR. This might involve passwords, data format settings, and update schedules. Test to ensure the data flows smoothly between TI and SOAR and everything works as planned.
Hi @kirk2 ,
We have integrated and made sure that it fits all the requirement. But still we are getting error for the same TI platform stating that all the entities are not enriched.
Sharing you the screenshot for the reference.
Thanks,
Neha.H
+12Hi @kirk2 ,
We have integrated and made sure that it fits all the requirement. But still we are getting error for the same TI platform stating that all the entities are not enriched.
Sharing you the screenshot for the reference.
Thanks,
Neha.H
I looked at the python, and it's not obvious from the code.
After the bottom IP (51) can you scroll down, is there a specific error message?
I notice you are enriching 'internal' IP addresses, to fix this:
Make sure RFC1918 are added to Networks
Then configure the action to be non internal
Try again, I don't think that will help but it's worth trying
Hi @SoarAndy ,
As you mentioned, can i try selecting the option as "External Entities" ?
And one more thing to add in here, to avoid the error message specific to certain entities i have selected "All Entities" .
Still getting the same issue.
Can you suggest some other way , because this is creating a lot of issue.
Thanks,
Neha.H
+12Hi @SoarAndy ,
As you mentioned, can i try selecting the option as "External Entities" ?
And one more thing to add in here, to avoid the error message specific to certain entities i have selected "All Entities" .
Still getting the same issue.
Can you suggest some other way , because this is creating a lot of issue.
Thanks,
Neha.H
Yes use External, sorry I mistyped
One thing to know, that "no entities were enriched" really means "entities WERE enriched, but no suspicious results came back", it's quite common to get this.
Yes use External, sorry I mistyped
One thing to know, that "no entities were enriched" really means "entities WERE enriched, but no suspicious results came back", it's quite common to get this.
Hi @SoarAndy ,
I agree with your point that the entities aren't being enriched because there's no malicious activity associated with them—this is likely the case. Now I understand that we need to analyze the entities more thoroughly and select the scope correctly. Making these changes might lead to more effective results.
Thank you for your help Andy.
Thanks,
Neha.H
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
