Rules for enrichers#

Enrichment rules define what to do with the retrieved enrichment data.

Rules act like filters, and they set the logical constraints defining:

  • The platform data sources to augment with enrichment information.

    Data sources you can enrich are incoming feeds, other enrichers, and groups.

  • Within the selected platform data sources, the entity type(s) to augment with enrichment information.

  • The enrichers to use to fetch enrichment data.

View enrichment rules#

To open the enrichment rule overview, go to Data configuration Data configuration icon > Rules > Enrichment. This displays a list of all enrichment rules.

Tip

Sort the list in ascending Sort in ascending order or descending Sort in descending order order by selecting the column title.

You can also view an enrichment rule by opening it from a specific enricher overview. To do this:

  1. Open an enricher. Go to Data configuration Data configuration icon > Enrichers and select an enricher from the list.

  2. In the panel that opens, look for the Enrichment rules field.

  3. Select a displayed enrichment rule name to open it.

Add enrichment rules#

To add a new enrichment rule, do the following:

  1. Open enrichment rule overview.

  2. Select Create rule + in the top left.

  3. In the Create enrichment rule panel, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field name

    Description

    Name*

    Enter a name to identify this rule.

    Description

    Enter a description for this rule.

    Filters

    Select + Add or +More to add rule filters.

    See Enrichment rule filters.

    Enrichers*

    Select at least one enricher to apply this rule to.

  4. Select Save.

Enrichment rule filters#

Filters for enrichment rules allow you to define a set of conditions an entity must match to trigger that enrichment rule.

Filters are additive.

Rules trigger when an entity matching the rule is created, ingested, or modified.

Define at least one filter for your enrichment rule.

For each enrichment rule filter, you can set the following conditions:

Field name

Description

Source

Select a source from the list.

A filter with a defined Source is only triggered by entities from that source. Sources can be feeds, enrichers, or platform groups.

Leave blank to trigger the rule with an entity from any source.

Entity types

Select an entity type from the list.

A filter with a defined Entity type is only triggers by an entity of that type.

Leave blank to trigger the rule with an entity of any type.

TLP

Select a TLP color from the list.

A filter with a defined TLP only triggered by entities with that TLP color.

Leave blank to trigger the rule with an entity with any TLP color.

Edit enrichment rule#

  1. Open the enrichment rule overview.

  2. Select an existing enrichment rule from the list.

  3. In the panel that appears, select More More at the top right.

  4. In the context menu that opens, select Edit

Or:

  1. Open the enrichment rule overview.

  2. Locate an existing enrichment rule from the list to edit.

  3. For that enrichment rule in the list, select More More on the far right of it.

  4. In the context menu that opens, select Edit.

Delete enrichment rule#

  1. Open the enrichment rule overview.

  2. Select an existing enrichment rule from the list.

  3. In the panel that appears, select More More at the top right.

  4. In the context menu that opens, select Delete

Or:

  1. Open the enrichment rule overview.

  2. Locate an existing enrichment rule from the list to edit.

  3. For that enrichment rule in the list, select More More on the far right of it.

  4. In the context menu that opens, select Delete.