Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Alerting: Add an Enrichment to a Rule

Document created by RSA Information Design and Development Employee on Jan 30, 2020Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 4Show Document
  • View in full screen mode
 

This topic tells how to add a previously configured enrichment source to a rule. When ESA creates an alert, information from the source gets included in it.

Adding an enrichment to a rule allows you to request for look ups into a variety of sources and include the results in the outgoing alerts, giving you a more detailed alert. This procedure requires role permissions for Administrator, DPO, and SOC Manager.

Note: This procedure does not apply to adding a Context Hub list as an enrichment to a condition statement in an existing rule. For information see Configure a Context Hub List as an Enrichment Source.

To add an enrichment to a rule:

  1. Go to (Configure) > ESA Rules.
  2. In the Rule Library view, do one of the following:
    • Double-click a rule.
    • Select a rule and click Edit icon in the Rule Library toolbar.
    The Rule Builder panel is displayed in a new NetWitness Platform tab.
  3. In the Enrichments section, click Add List icon and select any of the following enrichment types:
    • In-Memory Table
    • GeoIP

    Note: If you use a GeoIP source, ipv4 is automatically populated, and is not editable. 

    The enrichment types that you have selected are displayed in the table.
  4. For the added enrichment type, perform the following:
    • In the Output column, select the type that you have configured.
    • In the Enrichment Source drop-down list, select the enrichment source defined.
    • In the ESA Event Stream Meta field, type the event stream meta key whose value will be used as one operand of join condition.
      Rule enrichment section
    • In the Enrichment Source Column Name field, type the enrichment source column name whose value will be used as another operand of the join condition.
  5. Select Debug. This adds an @Audit(‘stream’) annotation to the rule. This is useful when debugging the Esper rules.
  6. Click Show Syntax to test if the defined ESA rule is valid.
  7. Click Save.

For details on parameters and their descriptions, see Rule Builder Tab.

You are here
Table of Contents > Add a Data Enrichment Source > Add an Enrichment to a Rule

Attachments

    Outcomes