Enrichment with delayed data freshness reduces data quality

We use rapid7 insight feed (asset enrichment) to enrich our entity data model. The feed seems to run once a day. But this is an issue because rapid7 also enriches the ip (entity.asset.ip). In an environment where static ip addresses are not used, the mapping from ip address to hostname is quickly outdated. This results in enrichment with false hostnames (because of the outdated rapid7 data, that is used to enrich events).

What is the best way to deal with the issue?

Two ideas that came to my mind are to change the ingest schedule of the rapid7 feed, so that more recent data is available. This will shift the issue to rapid7 (where the data freshness is 6 hours). Or I could customize the parser and drop the ip addresses. Then I guess the mapping will only run via mac addresses.

Has anyone experienced similar issues  and how did you solve them?

Solved Solved
0 7 675
1 ACCEPTED SOLUTION

I thought above you said you could change it to 6 hours.   Modifying the parser works but that's not ideal - so maybe we could modify the gopher feed interval time in the command line for SecOps.   

View solution in original post

7 REPLIES 7