Edit enrichment rules

To edit enricher rules, do the following:

  1. In the left navigation bar, go to Data configuration images/download/attachments/82474911/robot.svg-x24.png > Rules > Enrichment.

  2. The Enrichment view lists the configured enricher rules.
    You can sort the items by using the column header. .
    The icons and in the header indicate ascending and descending sort order, respectively.

To edit the details of a specific rule, do the following:

  1. Click an area in the row of the rule you want to examine.
    An overlay slides in from the side of the screen to display the rule detail pane.

  2. In the rule detail pane click Actions, and then Edit.

Alternatively:

  1. Go to the row of the enricher you want to configure or modify, and click .

  2. From the drop-down menu, select Edit.

  3. In the Name field, enter a name to identify the rule. It should be descriptive and easy to remember.

  4. In the Description field, enter additional textual details. If you want, you can add a short description to provide more information and context.

  5. From the Source drop-down menu, select the incoming feed, enricher, or group whose entities and observables you want to augment with additional information.

  6. From the Entity types drop-down menu, select the entity types you want to enrich with additional information.

  7. From the TLP drop-down menu, select the TLP color code you want to use to filter enrichment data.
    TLP provides an intuitive reference to assess how sensitive information is, focusing in particular on how serious it is, and whom it should or should not be shared with.

  8. Click Add or More to add a new filtering option.
    For example, to include another incoming feed or a different entity type.

  9. From the Enrichers drop-down menu, select one or more enrichers to apply the rule to.
    They are external data providers that are polled to obtain relevant enricher raw data; for example, whois lookup, reverse DNS, or GeoIP information.

  10. Select the Enabled checkbox to enable the rule immediately after creating it.

  11. Click Save to store your changes, or Cancel to discard them.