Enricher - Silobreaker#

Use Silobreaker to enrich supported observables with In Focus Cyber Intelligence reports.

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

Silobreaker

Supported observable types

  • ipv4

  • domain

  • malware

  • actor-id

  • hash-md5

  • hash-sha1

  • hash-sha256

  • cve

  • email

Output

Collective Threat Intelligence report attached to enriched observables

API endpoint

https://api.silobreaker.com/v1/infocus

Description

This enricher uses the Silobreaker In Focus API to enrich supported observables with analysis and other observables with intelligence from the Silobreaker Online platform. Enriching an observable on the EclecticIQ Platform attaches a Silobreaker In Focus Cyber report entity to it, along with related observables.

Requirements#

  • Silobreaker Online account

  • Silobreaker API key and Shared key

Automatic enrichment#

Avoid setting up enrichment rules for the Silobreaker enricher.

Setting up enrichment rules for this enricher allows it to automatically run, and may cause high network load and high resource use on the EclecticIQ Platform host. This is because it creates a new Collective Threat Intelligence report each time it is used to enrich an observable.

Instead, run the enricher manually.

Set up the enricher#

Before using the enricher, configure it to add your Silobreaker API key and Shared key:

  1. Go to Data configuration Data configuration icon > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More More > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Silobreaker ApiKey*

    Set this to your Silobreaker API key.

    Silobreaker Shared ApiKey*

    Set this to your Silobreaker Shared API key.

  5. Click Save to store your changes.

Default configuration#

These are the default configuration parameters for the Silobreaker enricher:

Note

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as Silobreaker. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the Silobreaker enricher: email, actor-id, malware, hash-md5, hash-sha256, cve, hash-sha1, ipv4, domain

Enabled

Select to enable this enricher.

API URL*

Set to https://api.silobreaker.com/v1/infocus by default.

SSL verification

Selected by default. Select to enable SSL verification.

Silobreaker ApiKey*

Set this to your Silobreaker API key.

Silobreaker Shared ApiKey*

Set this to your Silobreaker Shared API key.

Port

Set to port 80 by default.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

Enrichment result#

When the Silobreaker enricher is applied to an observable, it attaches a Silobreaker In Focus Cyber Report entity to the enriched observable:

../../../_images/silobreaker-in-focus-enricher-example2.png