Set and run enricher rules to add intelligence value to Intelligence Center entities by integrating additional context, which helps you draw a more accurate map of the threat landscape under investigation.
To automatically enrich entities, make sure enricher tasks are active, and the necessary enrichment rules are configured.
Rules give you control over the type of information you want to retrieve or exclude, and what you want to do with it. You can assign one or more enricher sources to specific observable types.
You can set multiple filters to cover usage scenarios as needed.
You can then examine the returned enrichment observable data, as well as route it to other devices that enforce cyber threat detection or prevention.
To add a new enricher rule, do the following:
In the left navigation bar, go to Data configuration > Rules > Enrichers.
The Enrichment view shows the configured enricher rules.
You can sort the items on the view by column header. To do so, click the column header you want to base the data sorting on.
An upward-pointing or a downward-pointing arrow in the header indicates ascending and descending sort order, respectively.
In the Name field, enter a name to identify the rule. It should be descriptive and easy to remember.
In the Description field enter a short description to clarify the purpose of the rule, and the type of data it applies to.
This is helpful when the amount of rules users create in the Intelligence Center grows over time. A short description provides context, and it is a reminder of the reasons why the rule is in place.
Click Add or More to add a filtering option.
From the Source drop-down menu, select the incoming feed, enricher, or group whose entities and observables you want to augment with additional information.
From the Entity types drop-down menu, select the entity types you want to enrich with additional information.
From the TLP drop-down menu, select the TLP color code you want to use to filter enrichment data.
TLP provides an intuitive reference to assess how sensitive information is, focusing in particular on how serious it is, and whom it should or should not be shared with.
Click Add or More to add a new filtering option.
For example, to include another incoming feed or a different entity type. A filter can take only one source and one entity type at a time, but you can set up rules with as many filters as you need.
From the Enrichers drop-down menu, select one or more enrichers to apply the rule to.
When a rule is applied to one or more enrichers, it filters the enrichment data polled from the enricher source, based on the specified rule filters and criteria.
Select the Enabled checkbox to enable the rule immediately after creating it.
Click Save to store your changes, or Cancel to discard them.