This topic describes the components of the (Configure) > ESA Rules > Settings tab. In the Settings tab, you can perform the following tasks:
- View a list of meta keys
- Configure a data enrichment source
What do you want to do?
Role | I want to ... | Show me how |
---|---|---|
Content Expert | Configure an in-memory table as an enrichment source. (Recurring In-Memory Tables are no longer supported in version 11.3 and later.) | Configure an In-Memory Table as an Enrichment Source |
Content Expert | Configure a Context Hub list as an enrichment source. | Configure a Context Hub List as an Enrichment Source |
Related Topics
Quick Look
The following figure shows the Meta Key References section in the Settings tab.
Meta Key References
The Meta Key References section lists each meta key used by ESA and the type of value the key requires.
Meta entities are not currently supported, such as:
fullname.all
eth.all
ip.all
ipv6.all
port.src.all
port.dst.all
dir.path.all
org.all
geoip.all
port.all
domain.all
email.all
filename.all
directory.all
checksum.all
param.all
context.all
attack.all
analysis.all
compromise.all
inv.all
outcome.all
ec.all
user.all
host.all
client.all
Caution: If you add meta entities to your rule, they cannot get data from the data sources, so they do not trigger alerts.
Enrichment Sources
In the Enrichment Sources section, you can use the following external data sources:
- GeoIP
- In-Memory Table (Add hoc only - Recurring In-Memory Tables are no longer supported in version 11.3 and later.)
- Context Hub
The following figure shows the Enrichment Sources section in the Settings tab.