Rules for enrichers

Enrichment rules define what to do with the retrieved enrichment data.

Rules act like filters, and they set the logical constraints defining:

• The platform data sources to augment with enrichment information.

  Data sources you can enrich are incoming feeds, other enrichers, and groups.

• Within the selected platform data sources, the entity type(s) to augment with enrichment information.

• The enrichers to use to fetch enrichment data.

View enrichment rules

To open the enrichment rule overview, go to Data configuration > Rules > Enrichment. This displays a list of all enrichment rules.

Tip

Sort the list in ascending or descending order by selecting the column title.

You can also view an enrichment rule by opening it from a specific enricher overview. To do this:

1. Open an enricher. Go to Data configuration > Enrichers and select an enricher from the list.

2. In the panel that opens, look for the Enrichment rules field.

3. Select a displayed enrichment rule name to open it.

Add enrichment rules

To add a new enrichment rule, do the following:

1. Open enrichment rule overview.

2. Select Create rule + in the top left.

3. In the Create enrichment rule panel, fill out these fields:

   Note

   Required fields are marked with an asterisk (*).

   Field name	Description
   Name*	Enter a name to identify this rule.
   Description	Enter a description for this rule.
   Filters	Select + Add or +More to add rule filters. See Enrichment rule filters.
   Enrichers*	Select at least one enricher to apply this rule to.

4. Select Save.

Enrichment rule filters

Filters for enrichment rules allow you to define a set of conditions an entity must match to trigger that enrichment rule.

Filters are additive.

Rules trigger when an entity matching the rule is created, ingested, or modified.

Define at least one filter for your enrichment rule.

For each enrichment rule filter, you can set the following conditions:

Field name	Description
Source	Select a source from the list. A filter with a defined Source is only triggered by entities from that source. Sources can be feeds, enrichers, or platform groups. Leave blank to trigger the rule with an entity from any source.
Entity types	Select an entity type from the list. A filter with a defined Entity type is only triggers by an entity of that type. Leave blank to trigger the rule with an entity of any type.
TLP	Select a TLP color from the list. A filter with a defined TLP only triggered by entities with that TLP color. Leave blank to trigger the rule with an entity with any TLP color.

Edit enrichment rule

1. Open the enrichment rule overview.

2. Select an existing enrichment rule from the list.

3. In the panel that appears, select More at the top right.

4. In the context menu that opens, select Edit

Or:

1. Open the enrichment rule overview.

2. Locate an existing enrichment rule from the list to edit.

3. For that enrichment rule in the list, select More on the far right of it.

4. In the context menu that opens, select Edit.

Delete enrichment rule

1. Open the enrichment rule overview.

2. Select an existing enrichment rule from the list.

3. In the panel that appears, select More at the top right.

4. In the context menu that opens, select Delete

Or:

1. Open the enrichment rule overview.

2. Locate an existing enrichment rule from the list to edit.

3. For that enrichment rule in the list, select More on the far right of it.

4. In the context menu that opens, select Delete.