Automated Enrichment Workflows
When it comes to investigating security events taking place on your network, detail and context often dictate how much time you have to spend determining if the event poses a threat. To provide you with as much contextual information as possible on the data points contained within your investigations, InsightIDR features several automated enrichment workflows that you can run manually as needed, or automatically with configured Alert Triggers.
InsightIDR offers a multitude of built-in enrichment workflow templates that you can configure. These workflows can process and enrich the following input data types:
- IP Address
Most enrichment workflow templates are capable of processing four or more of these data types from the same investigation, but InsightIDR does not require all data types to be present in order for the workflow to run. As long as any enrichment workflow has viable input to process, it will return enriched content for your security teams to use.
What constitutes “enriched” alert data?
The enrichment process provides additional detail and context for each of your input values depending on the data type. For example, an enriched IP address can return geolocation data, date of registration, and organizational information that the address may be tied to. In a similar vein, an enriched URL can return the full-length URL if the attacker has shortened it in an attempt to obfuscate its conspicuous nature.
In short, enrichment is about getting more information on the data points contained within your investigations. This can help your security team understand which events are threats and which aren’t.
Enrichment workflows rely on several third party and open source plugins to process your investigation data. To enable the workflow to pass input and output between these plugins, you’ll need to install and activate an Insight Orchestrator.
Enrichment Workflow Documentation
See the following pages for dedicated configuration articles on enrichment workflows available today: