This topic provides information to configure a connection to an external database that can provide additional information in alerts.
You configure a database connection so you can then configure the database as an enrichment source, to add further details to alerts. There are three steps in the process:
- Configure a connection to a database.
- Configure the external database as an enrichment source.
- Add the enrichment source to a rule.
This topic explains Step 1.
This example illustrates how adding a database as an enrichment source adds value to alerts.
A rule detects users that attempt to sign up for a stealth email service. Twenty-five users match the rule criteria. Without the enrichment, the alert contains 25 User IDs. With the enrichment, the alert also includes the following information for each User ID:
- Office Location
When you configure a database, the following conditions apply:
- A reference to the database is deployed on every ESA, even if the ESA does not deploy rules that use the database as an enrichment source.
- If the server that hosts the database goes down, it impacts a deployment.
- An active deployment will continue to gather data and run rules but enrichments will not appear in alerts.
- A new deployment will fail until you restart the host.
To configure a database connection:
- In the Security Analytics menu, select Alerts > Configure.
- Click the Settings tab.
- In the options panel, select Database Connections.
The Database Connections panel is displayed.
- Click to add a database connection.
- In the Database Connection dialog, provide the following information. >
- Click Save.
For related information, see Settings Tab.