Enrich

Automatically

To automatically enrich entities, make sure enricher tasks are active, and the necessary enrichment rules are configured.

Rules give you control over the type of information you want to retrieve or exclude, and what you want to do with it.
You can assign one or more enricher sources to specific observable types. You can set multiple filters to cover usage scenarios as needed.
You can then examine the returned enrichment observable data, as well as route it to other devices that enforce cyber threat detection or prevention.

Manually

To adjust enrichment behavior to manually apply it to the entities you want to enrich, do the following:

  1. Open an entity in edit mode.
    For example, got to the top navigation bar, click Browse, then click Published to display an overview of the published entities available in the Intelligence Center.

  2. Go to the row of the entity you want to manually enrich, and click .

  3. From the drop-down menu, select Edit.

  4. At the bottom of the entity editor view, select the Manually enrich checkbox.
    A new input field with a drop-down menu becomes available.

  5. From the drop-down menu, select one or more enrichers you want to apply to the entity.

  6. Click Save draft to store your changes without publishing the entity, Publish to release the new version of the entity including your changes, or Cancel to discard the changes.

Alternatively, you can manually enrich an entity by selecting it; for example, from a dataset, from Browse or from Discovery.
An overlay slides in from the side of the screen to display the entity detail pane.
In the entity detail pane, click Observables. The Observables tab shows an overview of the enrichment observables the entity has been augmented with.

To manually enrich the entity observables, click to trigger a task run that polls all the enrichers configured for the entity.

Alternatively, from the Actions pop-up menu, select Enrich, and then Enrich with all.
The Intelligence Center polls all applicable enrichers for the entity, and it enriches all the entity observables with the retrieved data.

To poll a specific enricher, you go to the Actions pop-up menu, select Enrich, and then click the specific enricher whose task run you want to trigger.
The Intelligence Center polls the specified enricher for the entity, and it enriches all supported entity observables with the retrieved data.

To enrich only specific observables:

  1. In the Observables tab, select the checkboxes corresponding to the observables you want to enrich.

  2. From the Enrich drop-down menu, select Enrich with all.
    The Intelligence Center polls all applicable enrichers for the entity, and it enriches the selected entity observables with the retrieved data.

The available enricher tasks in the drop-down menu are automatically filtered to show only the applicable enrichers for the entity.
Enrichers automatically augment all the entities that accept the enricher’s content type as an observable.
In other words, the observable types an entity supports define the applicable enrichers an entity can use.