Alerting: Add an Enrichment to a Rule

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Jul 26, 2016
Version 2Show Document
  • View in full screen mode
 

This topic tells how to add a previously configured enrichment source to a rule. When ESA creates an alert, information from the source gets included in it.

Adding an enrichment to a rule allows you to request for look ups into a variety of sources and include the results in the outgoing alerts, giving you a more detailed alert. This procedure requires role permissions for Administrator, DPO, and SOC Manager.

To add an enrichment to a rule:

  1. In the Security Analytics drop-down menu, select Alerts > Configure.
  2. In the Rule Library view, do one of the following:
    • Double-click a rule.
    • Select a rule and click Edit icon in the Rule Library toolbar.
    The Rule Builder panel is displayed in a new Security Analytics tab.
  3. In the Enrichments section, click addList.PNG and select any of the following enrichment types: 
    • In-Memory Table
    • External DB Reference
    • Warehouse Analytics
    • GeoIP
    The enrichment types that you have selected are displayed in the table.
  4. For the added enrichment type, perform the following:
    • In the Output column, select the type that you have configured.
    • In the Enrichment Source drop-down list, select the enrichment source defined.
    • In the ESA Event Stream Meta field, type the event stream meta key whose value will be used as one operand of join condition.
      RuleEnrSec.png
    • In the Enrichment Source Column Name field, type the enrichment source column name whose value will be used as another operand of the join condition.
  5. Select Debug. This will add a @Audit(‘stream’) annotation to the rule. This is useful when debugging the esper rules.
  6. Click Show Syntax to test if the defined ESA rule is valid.
  7. Click Save.

For details on parameters and their descriptions, see Rule Builder Tab.

You are here: Add a Data Enrichment Source > Add an Enrichment to a Rule

Attachments

    Outcomes