You can configure a database as an enrichment source so you can add it to a rule. Then the Esper engine that analyzes events can access the information in the database to provide additional information in the alert.
For example, a rule detects users that attempt to sign up for a stealth email service. Twenty-five users match the rule criteria. The alert contains 25 User IDs. An external database would enhance the alert by providing the following additional information for each User ID:
- Office Location
- Reports To
You can edit, duplicate, import or export a database connection.
You must configure a database connection. For more information, see Configure a Database Connection.
To configure database as an enrichment source:
- In the Security Analytics menu, select Alerts > Configure.
- Click the Settings tab.
The Settings tab is displayed.
- In the options panel, select Enrichment Sources.
The Enrichment Sources panel is displayed.
- From the drop-down menu, select External DB Reference. You have to add a DB reference in order for the DB to be listed.
The External DB Reference dialog is displayed.
- Select Enable to enrich alert with additional data. This is selected by default. If disabled, the alert will not be enriched with additional data.
- In the User-Defined Table Name field, type a name to identify or label the database configuration.
- In the Description field, type a brief description about the database configuration.
- In the Database Connection drop-down menu, select the database connections defined.
- In the Table Name field, enter database table name.
- Click Save.
For details on parameters and their descriptions, see Settings Tab.