Alerting: Configure a Database Connection

Document created by RSA Information Design and Development on Jul 20, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 2Show Document
  • View in full screen mode
  

This topic provides information to configure a connection to an external database that can provide additional information in alerts. You configure a database connection so you can then configure the database as an enrichment source, to add further details to alerts. There are three steps in the process:

  1. Configure a connection to a database.
  2. Configure the external database as an enrichment source.
  3. Add the enrichment source to a rule

This topic explains Step 1.

Example

This example illustrates how adding a database as an enrichment source adds value to alerts.

A rule detects users that attempt to sign up for a stealth email service. Twenty-five users match the rule criteria. Without the enrichment, the alert contains 25 User IDs. With the enrichment, the alert also includes the following information for each User ID:

  • Name
  • Title
  • Department
  • Office Location

Dependencies

When you configure a database, the following conditions apply:

  • A reference to the database is deployed on every ESA, even if the ESA does not deploy rules that use the database as an enrichment source. 
  • If the server that hosts the database goes down, it impacts a deployment.
    • An active deployment will continue to gather data and run rules but enrichments will not appear in alerts.
    • A new deployment will fail until you restart the host.

Procedure

To configure a database connection:

  1. In the Security Analytics menu, select Alerts > Configure.
  2. Click the Settings tab.
  3. In the options panel, select Database Connections.

    The Database Connections panel is displayed.

    DbConnSec.png

  4. Click add.png to add a database connection.

    DbConn.png

  5. In the Database Connection dialog, provide the following information.

                                         
    FieldDescription
    EnableSelect Enable to enrich the alert with additional data. By default, Enable is selected. Deselect Enable to exclude additional data from the alert.
    Connection NameType a name to identify the connection. When you add a database as an enrichment source, this name appears in the list of Database Connections.
    Description(Optional) Type a brief description about the database connection.
    Driver ClassSelect an appropriate driver class for the database.
    Two drivers come with Security Analytics, MongoDB and Postgres.
    To import a new driver, click Upload.
    ImpDrCl.png  
    In the Import Driver Class dialog, click Browse, select a new driver, and click Import.
    Database URL or 
    IP address
    Type the URL or the IP address of the database to configure.
    UsernameType the username to access the Database.
    PasswordType the password to access the Database.
  6. Click Save.

For related information, see Settings Tab

You are here
Table of Contents > Add a Data Enrichment Source > Configure a Database Connection

Attachments

    Outcomes