Enrichers are basically parsers that can rely on external methods to provide extra contextual information to the event. The enrichers are usually in the
s02-enrich stage (after most of the parsing happened).
Enrichers functions should all accept a string as a parameter, and return an associative string array, that will be automatically merged into the
Enriched map of the event.
At the time of writing, enrichers plugin mechanism implementation is still ongoing (read: the list of available enrichment methods is currently hardcoded).
As an example let's look into the geoip-enrich parser/enricher :
It exposes three methods :
IpToRange that are used by the
Enrichers can be installed as any other parsers with the following command:
cscli install parser crowdsecurity/geoip-enrich
Take a tour at the Crowdsec Hub to find them !