Alerting: Configure In-Memory Table as Enrichment Source

Document created by RSA Information Design and Development on Jul 20, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 2Show Document
  • View in full screen mode
  

This topic provides instructions on how to configure an in-memory table. When you configure an in-memory table, you upload a .CSV file as an input to the table. You can associate this table with a rule as an enrichment source. When the associated rule generates an alert, ESA will enrich the alert with relevant information from the in-memory table.

For example, a rule could be configured to detect when a user tries to download freeware and to identify the person by user ID in the alert. The alert could be enriched with additional information from an in-memory table that contains details such as full name, title, office location and employee number.

An in-memory table is ideal for handling lightweight data. It is easy to set up and requires less maintenance than a database. For example, the AllTech Company is a small organization so the system administrator can maintain employee information in a .CSV file. If AllTech grows into a very large company, the administrator would have to configure an external database reference as an enrichment and associate the database with a rule.

Prerequisites

The column name in the .CSV file cannot have whitespace characters.

The first line of the .CSV file must be formatted this way for each column:
name_of_column_1 type_of_column_1

For example, these three columns are formatted correctly:
Last_Name string
First_Name string
Phone integer

Procedures

Configure an Adhoc In-Memory Table

  1. In the Security Analytics menu, select Alerts > Configure.
    The Configure view is displayed with the Rules tab open.
  2. Click the Settings tab.
  3. In the options panel, select Enrichment Sources.
    EnrSources2.png
  4. In the Enrichment Sources section, click addList.PNG  > In-Memory Table.
    IMTblAdhoc.png
  5. Describe the in-memory table:
    1. Select Adhoc.
    2. By default, Enable is selected. When you add the in-memory table to a rule, alerts will be enriched with data from it.
      If you add an in-memory table to a rule but do not want alerts to be enriched, deselect the checkbox.
    3. In the User-Defined Table Name field, type a name, such as Student Information, for the in-memory table configuration.
    4. If you want to explain what the enrichment adds to an alert, type a Description such as:
      When an alert is grouped by Rollno, this enrichment adds student information, such as name and marks. 
  6. In the Import Data field, select the .CSV file that will feed data to the in-memory table.
  7. If you want to write an EPL query to define an advanced in-memory table configuration, select Expert Mode.
    The Table Columns are replaced by a Query field.
  8. Select Persist to preserve the in-memory table on disk when the ESA service stops and to re-populate the table when the service restarts.
  9. In the Table Columns section, click Add icon to add columns to the in-memory table. 
  10. If a valid file is selected in the Import Data field, the columns populate automatically.

Note: If you selected Expert mode, a Query field is displayed instead of Table Columns.

  1. In the Key drop-down menu, select the field to use as the default key to join incoming events with the in-memory table when using a CSV-based in-memory table as an enrichment. By default, the first column is selected.  You can also later modify the key when you open the in-memory table in enrichment sources.
  2. In Max Rows drop-down menu, select the number of maximum number of rows that can reside in the in-memory table at a particular instance.
  3. Click Save.
    The adhoc in-memory table is configured. You can add it to rule as an enrichment or part of the rule condition. See Add an Enrichment to a Rule.

When you add an in-memory table, you can add it to a rule as an enrichment or as a part of the rule condition. For example, the following rule uses an in-memory table as a part of the rule condition to create a whitelist, and it also uses an in-memory table of details in the user_dst file to enrich the alert that is displayed. 

The rule shows the in-memory table as a whitelist rule condition:

in-rule-enrichment.png

Next, the alert is enriched with the User_list in-memory table:

post_alert_enrichment.png

Therefore, the user_dst in-memory table is used to create a whitelist, and it is also used to enrich the data in the alert if the alert is triggered. 

Add a Recurring in-Memory Table

  1. In the Security Analytics menu, select Alerts > Configure.
    The Configure view is displayed with the Rules tab open.
  2. Click the Settings tab.
  3. In the options panel, select Enrichment Sources.
  4. Click addList.PNG  > In-Memory Table.
  5. Describe the in-memory table:
    1. Click Recurring.
    2. By default, Enable is selected. When you add the in-memory table to a rule, alerts will be enriched with data from it.
      If you add an in-memory table to a rule but do not want alerts to be enriched, deselect the checkbox.
    3. In the User-Defined Table Name field, type a name, such as Student Information, for the in-memory table configuration.
    4. If you want to explain what the enrichment adds to an alert, type a Description such as:
      When an alert is grouped by Rollno, this enrichment adds student information, such as name and marks.
  6. Type the URL of the .CSV file that will feed data to the in-memory table. Click Verify to validate the link and populate the columns in the .CSV file.  You can add or remove columns using the plus or minus button. 
  7. If the server is configured behind another server, select Use Proxy.
  8. If the server requires logon credentials, select Authenticated
  9. For Recur Every, indicate how frequently ESA must check for the most recent .CSV:
    1. Select Minute(s), Hour(s), Day(s), or Week.
    2. If you select Week, select a day of the week. 
    3. Click Date Range to select a Start Date and End Date for the recurring schedule.
      DateStartEnd.png
  10. Select Persist to preserve the in-memory table on disk when the ESA service stops and to re-populate the table when the service restarts.
  11. In the Key drop-down menu, select the field to use as the default key to join incoming events with the in-memory table when using a CSV-based in-memory table as an enrichment. By default, the first column is selected.  You can also later modify the key when you open the in-memory table in enrichment sources.
  12. In Max Rows drop-down menu, select the number of rows that can reside in the in-memory table at a particular instance.
  13. Click Save.
    The recurring in-memory table is configured. You can add it to rule as an enrichment or part of the rule condition. See Add an Enrichment to a Rule.
You are here
Table of Contents > Add a Data Enrichment Source > Enrichment Sources > Configure In-Memory Table as Enrichment Source

Attachments

    Outcomes