Creating enrichment policies

Enrichment policies define when and what enrichment is applied to a log entry. Using enrichment policies, you can apply multiple enrichments to a log entry.

Related topic

Troubleshooting-log-enrichment

To create an enrichment policy

On the Configurations > Enrichment Policies page, click Create, and perform the following actions:

  1. Specify a unique name, optional description, and precedence number for the policy.
    Precedence plays an important role in enriching collected logs. For more information, see How-log-enrichment-works.

  2. Create the log selection criteria based on which the policy is applied to the logs. 
    When the condition is met, enrichment is applied to the identified log entries.

    Constructing the selection criteria

    When you click in the box, you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection. 

    The selection criteria consist of an opening parenthesis, followed by the slot name, the operator, the slot value (which can be a string based on the type of slot selected), and the closing parenthesis. You can optionally select the logical operator AND or OR to add additional conditions. Specifying the opening and closing parentheses is optional.

    Example criteria: If you specify the following criteria, enrichment is applied to all the log entries where level type is either alert or error.

    The green tick mark indicates that the selection criteria syntax is correct.

    Log selection criteria.png

  3. In the Enrichments Source section, click Add Enrichment and perform the following actions:
    1. Select the enrichment type that you want to apply to the identified logs.
      For example, you select DNS. 
    2. From the Select Enrichment Source list, select the enrichment source that you have configured.
      For a CSV enrichment source, the field that you selected in Source Field is displayed in Source Field Name. The enrichment fields are displayed in Target Fields.
      For other enrichment sources, in Source Field Name, the variable that you used in the endpoint URL to connect to the source is displayed. The enrichment fields configured in the selected source are displayed in Target Fields.
    3. In Source Field Path, enter the field in the logs from where the value of the endpoint URL variable is taken. For a CSV enrichment source, enter the field in the logs with which the field in the Source Field Name is matched.
      Example for GeoIP: you configured IP address as a variable like {IPAddress} and in your logs the IP address is saved in the IPAdd field. Enter $.IPAdd in Source Field Path.
      Example for CSV: You configured UserID as Source Field in the enrichment source. In logs, you get user ID in the user_ID field. Enter $.user_ID in Source Field Path.
    4. (Optional) In Target Fields, remove the fields from enriching the identified log entry.
    5. Save the enrichment configuration.
  4. (Optional) Add more enrichment configurations.
  5. Enable and save the policy. 
    View the enrichment policies on the Enrichment Policies page. Use the Actions menu to edit, disable, or delete a policy:
    ActionsMenu_EnrichmentPolicies.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*