Alerting: Configure In-Memory Table as Enrichment Source

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Jul 26, 2016
Version 2Show Document
  • View in full screen mode
 

This topic provides instructions on how to configure an in-memory table. You can add the table to a rule as an enrichment source.

When you configure an in-memory table, you upload a .CSV file as an input to the table. You can associate this table with a rule as an enrichment source. When the associated rule generates an alert, ESA will enrich the alert with relevant information from the in-memory table.

For example, a rule could be configured to detect when a user tries to download freeware and to identify the person by user ID in the alert. The alert could be enriched with additional information from an in-memory table that contains details such as full name, title, office location and employee number.

An in-memory table is ideal for handling lightweight data. It is easy to set up and requires less maintenance than a database. For example, the AllTech Company is a small organization so the system administrator can maintain employee information in a .CSV file. If AllTech grows into a very large company, the administrator would have to configure an external database reference as an enrichment and associate the database with a rule.

Configuration Options

To ensure a rule has the most recent version of a .CSV file, there are two options:

  • Adhoc – You upload a .CSV file once, when you configure the in-memory table as an enrichment source. 
  • Recurring – ESA checks on a schedule you specify. The .CSV file must be on a remote webserver.

Prerequisites

The first line of the .CSV file must be formatted this way for each column:
name_of_column_1 type_of_column_1

For example, these three columns are formatted correctly:
Last_Name string
First_Name string
Phone integer

Configure an Adhoc In-Memory Table

  1. In the Security Analytics menu, select Alerts > Configure.
    The Configure view is displayed with the Rules tab open.
  2. Click the Settings tab.
  3. In the options panel, select Enrichment Sources.
    EnrSources2.png
  4. In the Enrichment Sources section, click addList.PNG In-Memory Table.
    IMTblAdhoc.png
  5. Describe the in-memory table:
    1. Select Adhoc.
    2. By default, Enable is selected. When you add the in-memory table to a rule, alerts will be enriched with data from it.
      If you add an in-memory table to a rule but do not want alerts to be enriched, deselect the checkbox.
    3. In the User-Defined Table Name field, type a name, such as HREmployeeInfo, for the in-memory table configuration.
    4. If you want to explain what the enrichment adds to an alert, type a Description such as:
      When an alert is grouped by user ID, this enrichment adds name, title and employee number.
  6. In the Import Data field, select the .CSV file that will feed data to the in-memory table. 
  7. If you want to write an EPL query to define an advanced in-memory table configuration, select Expert Mode.
    The Table Columns are replaced by a Query field.
  8. Select Persist to preserve the in-memory table on disk when the ESA service stops and to re-populate the table when the service restarts.
  9. In the Table Columns section, click Add icon to add columns to the in-memory table.
  10. If a valid file is selected in the Import Data field, the columns populate automatically.

Note: If you selected Expert mode, a Query field is displayed instead of Table Columns.

11. In Max Rows drop-down menu, select the number of maximum number of rows that can reside in the in-memory table at a particular instance.

12. Click Save.
The adhoc in-memory table is configured. You can add it to rule. See Add an Enrichment to a Rule.

Add a Recurring in-Memory Table

  1. In the Security Analytics menu, select Alerts > Configure.
    The Configure view is displayed with the Rules tab open.
  2. Click the Settings tab.
  3. In the options panel, select Enrichment Sources.
  4. Click addList.PNG In-Memory Table.
    IMTblRecur.png
  5. Describe the in-memory table:
    1. Click Recurring.
    2. By default, Enable is selected. When you add the in-memory table to a rule, alerts will be enriched with data from it.
      If you add an in-memory table to a rule but do not want alerts to be enriched, deselect the checkbox.
    3. In the User-Defined Table Name field, type a name, such as HR Employee Info, for the in-memory table configuration.
    4. If you want to explain what the enrichment adds to an alert, type a Description such as:
      When an alert is grouped by user ID, this enrichment adds name, title and employee number.
  6. Type the URL of the .CSV file that will feed data to the in-memory table. Click Verify to validate the link and populate the columns in the .CSV file.  You can add or remove columns using the plus or minus button. 
  7. If the server is configured behind another server, select Use Proxy.
  8. If the server requires logon credentials, select Authenticated
  9. For Recur Every, indicate how frequently ESA must check for the most recent .CSV:
    1. Select Minute(s), Hour(s), Day(s), or Week.
    2. If you select Week, select a day of the week. 
    3. Click Date Range to select a Start Date and End Date for the recurring schedule.
      DateStartEnd.png
  10. Select Persist to preserve the in-memory table on disk when the ESA service stops and to re-populate the table when the service restarts.
  11. In Max Rows drop-down menu, select the number of rows that can reside in the in-memory table at a particular instance.
  12. Click Save.
    The recurring in-memory table is configured. You can add it to a rule. See Add an Enrichment to a Rule.
You are here: Add a Data Enrichment Source > Enrichment Sources > Configure In-Memory Table as Enrichment Source

Attachments

    Outcomes