You may need meta that is not currently collected by Security Analytics to enrich an ESA rule. In such case, you can create Custom meta keys and use them in ESA Rules.
For example, you can add custom meta to map the criticality of an asset in your enterprise. An asset is any device connected to an enterprise network such as a laptop, printer, and so on. This document refers to this custom meta as "criticality."
Note: The role assigned to the tasks in the following table reflect the most common role that performs the task. For example, the Threat Hunter is just the most-common role to request custom meta in an ESA rule and drive the process. The Content Expert and Incident Responder roles can also drive this process.
In addition to custom meta, you can add contextual information into correlation logic and alert output by adding an enrichment source. Refer to Add a Data Enrichment Source topic in the Alerting Using ESA Guide for detailed instructions.