Enrichments and threat indicators
Enrichments can add threat indicators to show risk level in insights and entities.
Enrichments​
You can view the results of enrichments in Cloud SIEM by navigating to the Enrichments tab (which will appear on the entity, signal, and insight details pages if there are any enrichments to display):
The enhancements include:
- Enrichments are grouped by entity, not by enrichment source.
- Groups can be collapsed and expanded.
- The list can be filtered.
- Empty fields (fields with a null or empty value) can be optionally hidden.
- Links, if set by the enrichment, will be displayed and open in a new tab if clicked.
- Threat indicators, if set by the enrichment, will be displayed.
Threat indicators​
Threat indicators, if set, will be displayed throughout the Cloud SIEM UI either as a full label or as a colored icon depending on the location:
Label | Description | Icon |
---|---|---|
Malicious | ||
Suspicious | ||
Not Flagged | None |
No icon is displayed for entities with the Not Flagged label.
Not Flagged is not the default value (which is no indicator at all). Cloud SIEM will not automatically determine the indicator value; enrichments must explicitly set it.
Enrichment attributes​
The enrichment schema includes support for the following optional attributes:
expiresAt
. Defines when the enrichment should be auto-deleted from Cloud SIEM (by default, enrichments will never be auto-deleted).externalUrl
. Defines a link that will be displayed with an enrichment (for example, to include a link to the VirusTotal details page for this entity, put the link in this field).reputation
. Associates a threat indicator with this enrichment data. The allowable values aremalicious
,suspicious
, andnotflagged
. The default is not to display any reputation.