Create enrichment rules#

Enrichment rules allow you to automatically run enrichers on entities.

A rule must be Enabled for it to take effect. See Manage enrichment rules.

Create an enrichment rule#

Note

Required fields are marked with an asterisk (*).

Start creating a rule:

  1. From the left navigation, select Data configuration Data configuration icon > Rules > Enrichment.

  2. Select +.

OR

  • From the left navigation, select + Create > Rules Rules > Enrichment rule

Configure the rule#

In the Create enrichment rule view, fill out the following fields:

Field

Description

Rule name*

Name of rule.

Description

Short description. Should contain context and information on what this rule does.

Enabled

Select this to enable the rule immediately after saving.

Once done, set filters for your rule.

Set filters#

Set at least one filter for your rule in the Filters section. Rules will only run against entities that match the filters you set.

To add a filter, select + More at the bottom of the section.

Set the following fields for each filter

Field

Description

Source

Select one source. This rule runs against entities that belong to this source.

Entity types

Select one entity type that this rule runs against.

TLP

Select one TLP. This rule runs against entities that have this TLP color.

Next, select the enrichers that this rule will trigger.

Select enrichers#

Select one or more enrichers from the Enrichers* field.

When an entity that matches the filters for this rule is ingested, created, or edited, this rule runs all selected enrichers on that entity.

Save#

Once done:

  • Select Save to save this rule.

  • Select Save Drop-down menu arrow > Save and new to save this rule and start creating a new rule.

  • Select Save Drop-down menu arrow > Save and duplicate to save this rule and start creating a new rule using settings from this rule.