ESA Config: Using Custom Meta in an ESA Rule

Document created by RSA Information Design and Development on Jun 25, 2017
Version 1Show Document
  • View in full screen mode
 

Purpose

You may need meta that is not currently collected by Security Analytics to enrich an ESA rule. In such case, you can create Custom meta keys and use them in ESA Rules.

For example, you can add custom meta to map the criticality of an asset in your enterprise. An asset is any device connected to an enterprise network such as a laptop, printer, and so on. This document refers to this custom meta as "criticality."

Workflow

Note: The role assigned to the tasks in the following table reflect the most common role that performs the task. For example, the Threat Hunter is just the most-common role to request custom meta in an ESA rule and drive the process. The Content Expert and Incident Responder roles can also drive this process.

                           
RoleTask
Threat HunterRequest custom meta collection or feed.
AdministratorSet Up Custom Meta Collection
AdministratorCreate ESA Rule with Custom Meta
Threat HunterConduct Investigation Using ESA Rule with Custom Meta.

Other Ways to Enrich ESA Rules

In addition to custom meta, you can add contextual information into correlation logic and alert output by adding an enrichment source. Refer to Add a Data Enrichment Source topic in the Alerting Using ESA Guide for detailed instructions.

Other Uses for Custom Meta

You can also use custom meta in ESA rules to:

  • Enrich rules other than ESA rules.
  • Implement custom log messages.
  • Customize out-of-the-box rule parsing.
  • Customize out-of-the-box meta descriptions.
You are here
Table of Contents > ESA Config: Using Custom Meta in an ESA Rule

Attachments

    Outcomes