Enhancement scripts are run manually and can enrich indicators, write to context, and return entries to the War Room.
Enhancement scripts enable you to gather additional data about the highlighted entry in the War Room. They can enrich indicators, search a SIEM for a specific indicator, write indicator details to context, and return entries to the War Room.
Enhancement scripts are run manually from the Indicator Quick View window or the CLI after indicators are extracted to allow you to collect additional information about an indicator. If you have an incident that contains an IP indicator and you want to run one or more enhancement scripts, go to → and under Run Scripts, select the desired script.
Note
Enhancement scripts are different from reputation commands. A reputation command runs every integration that has that command within it, to enrich the indicator. The reputation command ip
, for example, runs every IP integration command in your enabled integrations, to collect data from multiple sources. An enhancement script is manually run after the initial extraction and enrichment for the indicator type is complete.