Enricher Management
Enricher Components
Understand enricher definitions, core concepts, and supported enricher types.
This component executes enrichers after artifacts are processed, in a specific order, to enrich the content of resulting records.
What Is an Enricher
An enricher is a reusable script or package that receives processed records after parsers and updates them in a controlled way.
Core Enricher Concepts
auto_run
auto_run, enable or disable the execution of the enricher automaticly after completing the processing.
query (Filter Query)
- Lucene filter that limits enrichment to records matching the expression.
- If empty, the enricher applies to all records in scope.
- Example:
_exists_:file.hash.sha1 OR _exists_:process.hash.sha1
Execution Order
- Enrichers run in configured sequence.
- Earlier enrichers can prepare fields that later enrichers depend on.
- Order becomes critical when more than one enricher writes to related fields.
To configure the enricher execution order, open the enrichment page, then click on "order" button.
To order the enricher sequance, graph the icon on the left and drop it in the correct place order
Enricher Types
SandsBytes supports four enricher types.
| Type | Description | Require Code |
|---|---|---|
CUSTOM | Runs a custom Python script to manipulate processed records and enrich content. | Yes (.zip package) |
MAPPER | Maps/copies one field into another field in the same record. | No |
FEEDS | Looks up record values against collected feeds and writes matched feed metadata into the record. | No |
LOOKUP | Looks up record values against external sources (for example VirusTotal) and adds metadata to records. | Yes (.zip package) |