3. Auto Submit + Enrich + Re-enrich NEs (ES)

Updated 1 month ago by Steven Chamales

TruSTAR strongly recommends that all Enteprise Security users configure their search heads to automatically:

  • submit Threat Activity notable events to a TruSTAR enclave.
  • enrich Threat Activity notable events.
  • re-submit unresolved Threat Activity notable events to the enclave every X hours to trigger TruSTAR to fetch current enrichment from query intel sources about that NE's observable.
    • determine period "X" according to how your query-style intel sources meter their API requests.
  • re-enrich unresolved Threat Activity notable events every hour for the first 96 hours of their existence.
    • Limit of 96 hours is based on a rather arbitrary assumption that if a user hasn't dealt with an NE in the first 96 hours of its existence, the user likely has no intention of dealing with it and therefore doesn't need to expend intel source API credits keeping its enrichment current.
    • Note: do not fret over TruSTAR API call quotas - they exist to protect the platform from DOS attacks. As long as your daily API quota needs are legitimate traffic from our integration, TruSTAR account managers will increase them.

In accordance with the strength of the recommendation that all ES users configure this functionality, instructions for doing so are included in the installation guide.


How Did We Do?