Skip to main content

Responses are generated using AI and may contain mistakes.

Security ContentExabeam Security Content in the Legacy Structure

Types of Enrichment

There are multiple types of enrichment available.

System-Defined Enrichment

This type of enrichment is done automatically by Advanced Analytics in the backend, and can be slightly tuned in the custom_exabeam_config.conf file.

  • Host-Ip Mapping – If a user or hostname is detected without the other, this enrichment feature populates the missing field based on previously seen data.

  • Security/Dlp-Alerts-to-User Mapping – When security or DLP alerts do not have the user information, this enrichment feature populates the user field based on previously seen data.

User-Defined Enrichment

This type of enrichment can be manually controlled. It includes the following types of enrichment activities:

  • Context Enrichment – Populates fields based on data-lookup from a context table.

  • Event Enrichment – Modifies, adds, or removes fields based on data-lookup from a context table. This is the most common type of enrichment. All logical expressions available in the analytics engine, excluding model and session expressions, can be used in event enrichment.

  • Event Duplicator – Duplicates an event for the purpose of adding it to a different user or asset timeline.