Enricher - Webroot#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specifications

Enricher name

Webroot Enricher

Supported observable types

  • ipv4

  • uri

Output

See Enrichment result.

API endpoint

See Enrichment result.

Description

Enrich ipv4, hash-md5, domain and uri observables with Webroot BrightCloud Threat Intelligence to see historical data and related intelligence.

Requirements#

  • Webroot BrightCloud OEM ID

  • Webroot BrightCloud Device ID

  • Webroot BrightCloud User ID

Set up the enricher#

Before using the enricher, configure it to add your Webroot BrightCloud OEM ID, Webroot BrightCloud Device ID, and Webroot BrightCloud User ID:

  1. Go to Data configuration Data configuration icon > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More More > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Webroot BrightCloud OEM ID*

    Enter your BrightCloud OEM ID.

    Webroot BrightCloud Device ID*

    Enter your BrightCloud Device ID.

    Webroot BrightCloud User ID*

    Enter your BrightCloud User ID.

  5. Click Save to store your changes.

Default configuration#

These are the default configuration parameters for the Webroot enricher:

Note

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as Webroot Enricher. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the Webroot enricher: ipv4, domain, hash-md5, uri

Enabled

Select to enable this enricher.

API URL*

Set to https://api.bcti.brightcloud.com/1.0/ by default.

SSL verification

Selected by default. Select to enable SSL verification.

Webroot BrightCloud OEM ID*

Enter your BrightCloud OEM ID. Not set by default.

Webroot BrightCloud Device ID*

Enter your BrightCloud Device ID. Not set by default.

Webroot BrightCloud User ID*

Enter your BrightCloud User ID. Not set by default.

Port

Set to port 80 by default.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

Enrichment result#

The table below shows possible enrichment results:

Enriched observable type

API endpoint

Enrichment results

ipv4

  • /ip/getgeoinfo

  • /ip/getinfo

  • /ip/getthreathistory

Enriching ipv4 observables attaches the following entities where available:

  • Indicator, IP Watchlist: For enriched ipv4 observables. The enricher creates a new indicator named after the enriched observable. Enrichment results are attached to this indicator.

  • Observable, country: Country associated with ipv4 observable. Attached to IP Watchlist indicator.

  • Observable, country-code: ISO-3166-alpha-2 country code associated with ipv4 observable. Attached to IP Watchlist indicator.

  • Observable, city: City associated with ipv4 observable. Attached to IP Watchlist indicator.

  • Observable, geo-lat: Geographical latitude associated with ipv4 observable. Attached to IP Watchlist indicator.

  • Observable, geo-long: Geographical longitude associated with ipv4 observable. Attached to IP Watchlist indicator.

  • Observable, organization: Organization name associated with ipv4 observable. Attached to IP Watchlist indicator.

  • Observable, asn: Autonomous System Number (ASN) associated with ipv4 observable. Attached to IP Watchlist indicator.

uri

  • /url/getcatlist

  • /url/getinfo

  • /url/getrepinfo

  • /url/getwhoisinfofull

Enriching uri observables attaches the following entities where available:

  • Indicator, URL Watchlist: For enriched uri observables. The enricher creates a new indicator named after the enriched observable.

  • Observable, country: Country associated with ipv4 observable. Attached to URL Watchlist indicator.

  • Observable, country-code: ISO-3166-alpha-2 country code associated with ipv4 observable. Attached to URL Watchlist indicator.

  • Observable, city: City associated with ipv4 observable. Attached to URL Watchlist indicator.

  • Observable, street: Street name associated with ipv4 observable. Attached to URL Watchlist indicator.

  • Observable, organization: Organization name associated with ipv4 observable. Attached to URL Watchlist indicator.

  • Observable, telephone: Phone Number associated with ipv4 observable. Attached to URL Watchlist indicator.

  • Observable, email: Email address associated with ipv4 observable. Attached to URL Watchlist indicator.

  • Observable, domain: Domain names associated with ipv4 observable. Attached to URL Watchlist indicator.