Enrichments

You can create custom enrichments for Live Discover.

You must be Super Admin, Admin, or have full admin rights to Endpoint or Server Protection.

Live Discover lets you select data items in your query results and use them as the basis for further, "pivot" actions, including enrichments.

Enrichments open third-party websites to look up information about a potential threat you've found.

We provide predefined enrichments. You can also add your own.

Add a custom enrichment

You can add an enrichment as follows:

Go to Threat Analysis Center > Preferences.
On the Enrichments tab, you see all enrichments, whether created by Sophos or by an administrator. Click Add enrichment.
In the Add enrichment dialog, do as follows:
1. Enter the Data Type . This is the data in your query results that you want to look up. For example, IP Address.
2. Enter a Display Name . This shows in the menu when you click the ellipsis icon next to the data in your result.
3. Enter a Description.
4. Enter the URL of the web page you want to open.
  
  In our example, the URL is www.virustotal.com/gui/ip-address/$$ipAddress$$.
  
  www.virustotal.com/ is the website.
  
  gui/ip-address/ is the page where you can look up IP addresses.
  
  $$ipAddress$$ is the SQL variable that will be replaced with the IP you want to look up. We show you this variable in a note above the URL field.
5. Click Test link.
6. Click Save.

Your enrichment now shows on the Enrichments tab.

This video explains how to add custom enrichments.

You can only edit or delete enrichments that you (or another administrator) created. You can't change the predefined enrichments that we provide.

To edit an enrichment, do as follows:

Go to Threat Analysis Center > Preferences.
On the Enrichments tab, look for the enrichment you want. In the Actions column, click the ellipsis icon and select Edit enrichment or Delete enrichment.
If you selected Edit enrichment, you can enter settings as descibed in “Add a custom enrichment”.