Creating enrichment policies

Enrichment policies define when and what enrichment is applied to a log entry. Using enrichment policies, you can apply multiple enrichments to a log entry.

Related topics

Troubleshooting-log-enrichment

To create an enrichment policy

  1. Click the Enrichment menu and select Enrichment Policies.
  2. On the Enrichment Policies page, click Create.
  3. Enter the policy information:
    1. Enter a unique name and description for the policy.
    2. Enter the precedence.
      The precedence number defines the priority for executing the policy. Note that a policy with a lower precedence number is executed first. 

  4. Create the log selection criteria based on which the policy is applied to the logs. 
    When the condition is met, enrichment is applied to the identified log entries.
    When you click in the box, you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection. 
    The selection criteria consist of an opening parenthesis, followed by the slot name, the operator, the slot value (which can be a string based on the type of slot selected), and the closing parenthesis. You can optionally select the logical operator AND or OR to add additional conditions. Specifying the opening and closing parentheses is optional.

    Important

    The values that you enter for a field in the selection criteria are case-sensitive. For example, if the host name is WebServer.example.com, add the selection criteria as ( host_name Equals WebServer.example.com ). If you enter, ( host_name Equals webserver.example.com ), the logs are not enriched.

  5. In the Enrichments Source section, click Add Enrichment and perform the following actions:
    1. Select the enrichment type that you want to apply to the identified logs.
      For example, you select DNS. 
    2. From the Select Enrichment Source list, select the enrichment source that you have configured.
      For a CSV enrichment source, the field that you selected in Source Field is displayed in Source Field Name. The enrichment fields are displayed in Target Fields.
      For other enrichment sources, in Source Field Name, the variable that you used in the endpoint URL to connect to the source is displayed. The enrichment fields configured in the selected source are displayed in Target Fields.
    3. In Source Field Path, enter the field in the logs from where the value of the endpoint URL variable is taken. For a CSV enrichment source, enter the field in the logs with which the field in the Source Field Name is matched.
      Example for GeoIP: you configured IP address as a variable like {IPAddress} and in your logs the IP address is saved in the IPAdd field. Enter $.IPAdd in Source Field Path.
      Example for CSV: You configured UserID as Source Field in the enrichment source. In logs, you get user ID in the user_ID field. Enter $.user_ID in Source Field Path.
    4. (Optional) In Target Fields, remove the fields from enriching the identified log entry.
    5. Click Save.
  6. (Optional) Add more enrichment configurations.
  7. Select the Enable Enrichment Policy check box and click Save
    View the enrichment policies on the Enrichment Policies page.
  8. Use the Actions menu to edit, disable, or delete a policy:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*