Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

Types of Enrichment

There are multiple types of enrichment available.

System-Defined Enrichment

This type of enrichment is done automatically by Advanced Analytics in the backend, and can be slightly tuned in the custom_exabeam_config.conf file.

  • Host-Ip Mapping – If a user or hostname is detected without the other, this enrichment feature populates the missing field based on previously seen data.

  • Security/Dlp-Alerts-to-User Mapping – When security or DLP alerts do not have the user information, this enrichment feature populates the user field based on previously seen data.

User-Defined Enrichment

This type of enrichment can be manually controlled. It includes the following types of enrichment activities:

  • Context Enrichment – Populates fields based on data-lookup from a context table.

  • Event Enrichment – Modifies, adds, or removes fields based on data-lookup from a context table. This is the most common type of enrichment. All logical expressions available in the analytics engine, excluding model and session expressions, can be used in event enrichment.

  • Event Duplicator – Duplicates an event for the purpose of adding it to a different user or asset timeline.