Configure enrichers

Configure enrichers to augment intelligence value with additional context obtained from selected intel providers and data sources.

For information about the configuration details of a specific enricher, click the link to the desired enricher under List of enrichers.

If an enricher is not available, you many need to install it on your platform instance.

Some enrichers may require a paid subscription to the data provider that the enricher pulls data from.

Edit an enricher

Most enrichers have to be configured before you can use them.

To edit an available enricher:

  1. In the left navigation bar, go to Data configuration images/download/attachments/86441127/robot.svg-x24.png > Enrichers.

  2. In the Enrichers overview, select an enricher from the list to open it.

  3. Select Edit images/download/attachments/86441127/pencil-alt.svg-x24.png .

  4. Configure the enricher according to instructions for that enricher.

    See the List of enrichers.

Enable and disable enrichers

To be able to run the enricher:

  • from the context menu in a graph

  • within an enrichment rule

you must first enable that enricher.

To enable an enricher:

  1. In the left navigation bar, go to Data configuration images/download/attachments/86441127/robot.svg-x24.png > Enrichers.

  2. Locate the enricher you want to enable.

    For that enricher, select Enabled to enable that enricher.

    Clear the selection to disable it.

You can also enable an enricher when editing it:

  1. Edit an enricher.

  2. In the Edit enricher task view, look for the Enabled checkbox.

  3. Select Enabled.

  4. Select Save.

Enricher properties

You can view the properties of an enricher when you open it from teh enricher overview.

The following table lists the properties available for an enricher:

Field name

Description

Name

Title of the enricher.

Usually contains the name of the data vendor the enricher pulls data from.

Example: CVE Search Enricher

Description

Enter a description for this enricher.

Enabled

Yes or No

Enabled enrichers can be access from the graph and may be triggered by enricher rules.

Task name

When this enricher runs, it appears as the name displayed here in Settings images/download/attachments/86441127/cog.svg-x24.png > System jobs.

Example: eiq.enrichers.enrich_cve_search

Cache validity (sec)

2592000 by default.

Sets the time (seconds) enrichment data is stored in the cache.

Rate limit (per sec)

1000 by default.

Sets the maximum number of requests the enricher can make per second.

Monthly execution cap (runs)

100000 by default.

Sets the maximum number of times an enricher can run per month.

Current month count

Displays the number of times the enricher has run for the current calendar month.

Override TLP

Not set by default.

Leave empty to use the TLP colors provided by the data source.

Set a TLP color here to override the TLP colors for objects created by this enricher.

Observable types

Default is different for each enricher.

One or more enricher type the enricher is enabled for.

Parameters

Set per enricher.

See List of enrichers for specific instructions per enricher.

Source reliability

Not set by default

Set the default Admiralty Code reliability value for the objects created by this enricher.

Example: B - Usually reliable

State

Displays the state of the enricher.

Select to see more information.

When the state value returns FAILURE, click the link to view the task execution traceback and to begin troubleshooting.

To view traceback content, users need the read traceback-logs permission.

Enrichmenr rules

Displays the enrichment rules that apply to this enricher.

Select an enrichment rule to view it.

Enrichments

Shows a summary of enrichment executions performed within the last 7 days.