You may need meta that is not currently collected by Security Analytics to enrich an ESA rule. In such case, you can create Custom meta keys and use them in ESA Rules.
For example, you can add custom meta to map the criticality of an asset in your enterprise. An asset is any device connected to an enterprise network such as a laptop, printer, and so on. This document refers to this custom meta as "criticality."
Other Ways to Enrich ESA Rules
In addition to custom meta, you can add contextual information into correlation logic and alert output by adding an enrichment source. Refer to Add a Data Enrichment Source topic in the Alerting Using ESA Guide for detailed instructions.
Other Uses for Custom Meta
You can also use custom meta in ESA rules to:
- Enrich rules other than ESA rules.
- Implement custom log messages.
- Customize out-of-the-box rule parsing.
- Customize out-of-the-box meta descriptions.