Enrichment summary note
The following is an example of STIX note that is created and attached to the observable that is enriched, and to any created incidents
In this example, an enrichment was run on a File observable, searching for a
file name only. The file name was unique, and only a few results were returned.
The highlighted Dropped: 0 indicates that no results were dropped (because
the limit hits_abort_limit was met).
The meaning of all the fields in the summary table are as follows:
Key |
Value |
|---|---|
Time |
When the enrichment was run |
Duration |
The duration of the OpenSearch query |
Hits returned |
Number of alerts returned by the query |
Total hits |
The total number of matches |
Max hits |
Maximum number of results to return, as per
|
Dropped |
Results dropped (Total hits - Max hits) |
Search since |
Time filter used, as per
|
Include filter |
Additional search filters used, as per
|
Exclude filter |
Additional search filters used, as per
|
Connector v. |
The connector version at enrichment time |
The next table provides a summary of the alerts found:
Rule |
The alert rule ID, with a link to the Wazuh instance rule overview |
|---|---|
Level |
The alert rule level |
Count |
Number of alerts of this rule ID (a + indicates an inaccurate number) |
Earliest |
The earliest alert of this rule ID (within the search constraints) |
Latest |
The latest alert of this rule ID (within the search constraints) |
Description |
The alert rule description (shortened to a common prefix string and displayed with “[…]” if the alerts with this rule ID had different descriptions) |
As opposed to the former example, in this run the search was for an IP address that returned a lot of hits. The limits put in place ensures that not too much noise is inserted into OpenCTI.
Since the number of alerts per rule ID is misleading when results are dropped, a + is shown in bold next to the alert count in Alerts overview.