Creating enrichment policies

Enrichment policies define when and what enrichment is applied to a log entry. Using enrichment policies, you can apply multiple enrichments to a log entry.

Related topic

Troubleshooting-log-enrichment

To create an enrichment policy

On the Configurations > Enrichment Policies page, click Create, and perform the following actions:

  1. Specify a unique name, optional description, and precedence number for the policy.

  2. Create the log selection criteria based on which the policy is applied to the logs. 
    When the condition is met, enrichment is applied to the identified log entries.

    Constructing the selection criteria

    When you click in the box, you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection. 

    The selection criteria consist of an opening parenthesis, followed by the slot name, the operator, the slot value (which can be a string based on the type of slot selected), and the closing parenthesis. You can optionally select the logical operator AND or OR to add additional conditions. Specifying the opening and closing parentheses is optional.

    Example criteria: If you specify the following criteria, enrichment is applied to all the log entries where level type is either alert or error.

    The green tick mark indicates that the selection criteria syntax is correct.

    Log selection criteria.png

  3. In the Enrichments Source section, click Add Enrichment and perform the following actions:

    Important

    The DNS, GeoIP, and LDAP enrichment sources are not available starting with the 22.2 release. The existing enrichment policies that contain any of these enrichment sources will not enrich logs by using these sources. The CSV enrichment source will continue to enrich the logs. 

    1. Select the enrichment type that you want to apply to the identified logs.
      For example, you select CSV. 
    2. From the Select Enrichment Source list, select the enrichment source that you have configured.
      For a CSV enrichment source, the field that you selected in Source Field is displayed in Source Field Name. The enrichment fields are displayed in Target Fields.
    3. In Source Field Path, enter the field in the logs with which the field in the Source Field Name is matched.
      Example: You configured UserID as       Source Field in the enrichment source. In logs, you get user ID in the user_ID field. Enter $.user_ID in Source Field Path.
    1. (Optional) In Target Fields, remove the fields from enriching the identified log entry.
    2. Save the enrichment configuration.
  4. (Optional) Add more enrichment configurations.
  5. Enable and save the policy. 
    View the enrichment policies on the Enrichment Policies page. Use the Actions menu to edit, disable, or delete a policy:
    <updated screenshot>

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*