You may need meta that is not currently collected by Security Analytics to enrich an ESA rule. In such case, you can create Custom meta keys and use them in ESA Rules.
For example, you can add custom meta to map the criticality of an asset in your enterprise. An asset is any device connected to an enterprise network such as a laptop, printer, and so on. This document refers to this custom meta as "criticality."
Note: The role assigned to the tasks in the following table reflect the most common role that performs the task. For example, the Threat Hunter is just the most-common role to request custom meta in an ESA rule and drive the process. The Content Expert and Incident Responder roles can also drive this process.
|Threat Hunter||Request custom meta collection or feed.|
|Administrator||Set Up Custom Meta Collection|
|Administrator||Create ESA Rule with Custom Meta|
|Threat Hunter||Conduct Investigation Using ESA Rule with Custom Meta.|
Other Ways to Enrich ESA Rules
In addition to custom meta, you can add contextual information into correlation logic and alert output by adding an enrichment source. Refer to Add a Data Enrichment Source topic in the Alerting Using ESA Guide for detailed instructions.
Other Uses for Custom Meta
You can also use custom meta in ESA rules to:
- Enrich rules other than ESA rules.
- Implement custom log messages.
- Customize out-of-the-box rule parsing.
- Customize out-of-the-box meta descriptions.