One of the challenges when performing a security investigation is the endless stream of alerts with little to no context. Analysts are often overwhelmed, with too little time to separate the noise from the high-severity alerts. Automatic Incident enrichment with XSOAR speeds up the triage process and assists the analysts to make an informed decision by providing the bigger picture in a single pane of glass.
Using what we’ve learned in the previous article, let's take a look at how indicators are automatically created, and enriched using the VirusTotal integration.
Navigate to the incidents page, and click “New Incident.” With the new incident form open add some IOCs that you want to extract and enrich with the Virus Total integration. (I used some IP addresses from the abuse.ch feed for demonstration purposes, but you can use whatever you want.)
For training purposes, leave the Incident Type set to Unclassified and use the default playbook. The details section should contain the Indicators of Compromise and data that you want to extract and enrich.
Now that we have created the incident manually, you will see the indicators are automatically extracted and the reputation has been calculated using the Virus Total Integration.
Monitoring Integration API Usage and Enrichment Commands
Clicking on an indicator you can see the verdict, as well as the enrichment source. If you have configured any other sources besides Virus Total, they would appear here as well.
Lastly, you can monitor your API usage with the built-in API metrics dashboards on the homepage.
Automatic incident enrichment leverages Indicator extraction in order to take different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex) and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched. Indicator enrichment takes the extracted indicator and provides detailed information about the indicator (from open ports to whois information, etc). It provides a story about the indicator, based on an enrichment feed such as VirusTotal, IPinfo, etc.
Note: There are several methods for performing indicator extraction. Some of which are less resource intensive than others and utilize less disk space (since you are only extracting what you specifically choose, Ex. the body of an email). I would suggest reading about the different modes using the incident type method as a starting point. Additionally, the Customer Success team has put together an excellent engineer training series that we highly recommend.