This topic tells how to add a previously configured enrichment source to a rule. When ESA creates an alert, information from the source gets included in it.
Adding an enrichment to a rule allows you to request for look ups into a variety of sources and include the results in the outgoing alerts, giving you a more detailed alert. This procedure requires role permissions for Administrator, DPO, and SOC Manager.
To add an enrichment to a rule:
- In the Security Analytics drop-down menu, select Alerts > Configure.
- In the Rule Library view, do one of the following:
- In the Enrichments section, click and select any of the following enrichment types:
- In-Memory Table
- External DB Reference
- Warehouse Analytics
Note: If you us a GeoIP source, ipv4 is automatically populated, and is not editable.
- For the added enrichment type, perform the following:
- In the Output column, select the type that you have configured.
- In the Enrichment Source drop-down list, select the enrichment source defined.
- In the ESA Event Stream Meta field, type the event stream meta key whose value will be used as one operand of join condition.
- In the Enrichment Source Column Name field, type the enrichment source column name whose value will be used as another operand of the join condition.
- Select Debug. This will add a @Audit(‘stream’) annotation to the rule. This is useful when debugging the esper rules.
- Click Show Syntax to test if the defined ESA rule is valid.
- Click Save.
For details on parameters and their descriptions, see Rule Builder Tab.