Configure enrichers#

Configure enrichers to augment intelligence value with additional context obtained from selected intel providers and data sources.

Note

Some enrichers may require a paid subscription to the data provider that the enricher pulls data from.

Edit an enricher#

Most enrichers have to be configured before you can use them.

To edit an available enricher:

  1. In the left navigation bar, go to Data configuration Data configuration icon > Enrichers.

  2. In the Enrichers overview, select an enricher from the list to open it.

  3. Select Edit Pencil.

  4. Configure the enricher according to instructions for that enricher.

    See the EclecticIQ Integrations.

Enable and disable enrichers#

To be able to run the enricher:

  • from the context menu in a graph

  • within an enrichment rule

you must first enable that enricher.

To enable an enricher:

  1. In the left navigation bar, go to Data configuration Data configuration icon > Enrichers.

  2. Locate the enricher you want to enable.

    For that enricher, select Enabled to enable that enricher.

    Clear the selection to disable it.

You can also enable an enricher when editing it:

  1. Edit an enricher.

  2. In the Edit enricher task view, look for the Enabled checkbox.

  3. Select Enabled.

  4. Select Save.

Enricher properties#

You can view the properties of an enricher when you open it from teh enricher overview.

The following table lists the properties available for an enricher:

Field name

Description

Name

Title of the enricher.

Usually contains the name of the data vendor the enricher pulls data from.

Example: CVE Search Enricher

Description

Enter a description for this enricher.

Enabled

Yes or No

Enabled enrichers can be access from the graph and may be triggered by enricher rules.

Task name

When this enricher runs, it appears as the name displayed here in Settings Settings > System jobs.

Example: eiq.enrichers.enrich_cve_search

Cache validity (sec)

2592000 by default.

Sets the time (seconds) enrichment data is stored in the cache.

Rate limit (per sec)

1000 by default.

Sets the maximum number of requests the enricher can make per second.

Monthly execution cap (runs)

100000 by default.

Sets the maximum number of times an enricher can run per month.

Current month count

Displays the number of times the enricher has run for the current calendar month.

Override TLP

Not set by default.

Leave empty to use the TLP colors provided by the data source.

Set a TLP color here to override the TLP colors for objects created by this enricher.

Observable types

Default is different for each enricher.

One or more enricher type the enricher is enabled for.

Parameters

Set per enricher.

See EclecticIQ Integrations for specific instructions per enricher.

Source reliability

Not set by default

Set the default Admiralty Code reliability value for the objects created by this enricher.

Example: B - Usually reliable

State

Displays the state of the enricher.

Select to see more information.

Note

When the state value returns FAILURE, click the link to view the task execution traceback and to begin troubleshooting.

To view traceback content, users need the read traceback-logs permission.

Enrichmenr rules

Displays the enrichment rules that apply to this enricher.

Select an enrichment rule to view it.

Enrichments

Shows a summary of enrichment executions performed within the last 7 days.