Add an Enrichment to a RuleAdd an Enrichment to a Rule
This topic tells how to add a previously configured enrichment source to a rule. When ESA creates an alert, information from the source gets included in it.
Adding an enrichment to a rule allows you to request for look ups into a variety of sources and include the results in the outgoing alerts, giving you a more detailed alert. This procedure requires role permissions for Administrator, DPO, and SOC Manager.
Note: This procedure does not apply to adding a Context Hub list as an enrichment to a condition statement in an existing rule. For information see Configure a Context Hub List as an Enrichment Source.
To add an enrichment to a rule:
- Go to
(Configure) > ESA Rules.
- In the Rule Library view, do one of the following:
- Double-click a rule.
- Select a rule and click
in the Rule Library toolbar.
- In the Enrichments section, click
and select any of the following enrichment types:
- In-Memory Table
- GeoIP
Note: If you use a GeoIP source, ipv4 is automatically populated, and is not editable.
The enrichment types that you have selected are displayed in the table. - For the added enrichment type, perform the following:
- In the Output column, select the type that you have configured.
- In the Enrichment Source drop-down list, select the enrichment source defined.
- In the ESA Event Stream Meta field, type the event stream meta key whose value will be used as one operand of join condition.
- In the Enrichment Source Column Name field, type the enrichment source column name whose value will be used as another operand of the join condition.
- Select Debug. This adds an @Audit(‘stream’) annotation to the rule. This is useful when debugging the Esper rules.
- Click Show Syntax to test if the defined ESA rule is valid.
- Click Save.
For details on parameters and their descriptions, see Rule Builder Tab.
