- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
- Enrichments
- Event Filtering
Define an Enrichment Rule
To define an enrichment rule, follow the steps below. These steps are applicable whether you are in a New Enrichment Rule dialog box, an Edit Enrichment Rule dialog box, or a Duplicate Enrichment Rule dialog box.
Enter or update the following information about the enrichment rule:
Enrichment rule Name – Enter a name for the new enrichment rule.
Activity Types – From the drop down menu, select the activity types you want the new rule to apply to. You can select multiple activity types.
Outcomes – From the drop down menu, select whether the new rule should apply to activity types that have success or fail outcomes. You can select one or both options.
In the Condition section of the dialog box, define or update the conditions that will be used to determine which specific events (with the activity types and outcomes selected above) the enrichment rule should be applied to. You can define individual conditions or groups of conditions as follows:
To specify how to apply the conditions you are about to define, click All in All of the following are true. Select the appropriate option to specify that
any,all,not any, ornot allof the conditions must be true in order for the rule to be applied.
Click Add condition or Add Group.
Click Field and, from the drop down menu, select the field that you want to use to create an enrichment condition. The list of available fields includes all of the types of fields that are available in the Exabeam common information model. These include common fields, anomaly fields, subjects, vendors, custom fields, and metadata.
Select an Operator from the drop down list of available operators.
Enter a Value to complete the condition
Repeat these steps to add additional conditions.
Note
To apply a functional expression to the condition, click fx to the left of the condition and select an expression from the drop down list.
You can also apply a functional expression to the value side of the condition. Note that in the value field, an entry enclosed in single quotes is treated as a string literal. An entry not enclosed in single quotes is treated as an expression.
To add a subgroup of conditions, click Add Group. A new All of the following is true row is added. Click Add Condition for the new group and repeat the steps to add conditions. You can also specify how the conditions in the subgroup should be applied by clicking All and selecting a different option.
In the Map section of the dialog box, define or update what enrichment action should be taken on any event that matches the criteria defined in the Condition section. You can define the mapping as follows:
Click Add Map. A mapping row is added.
Click Field and, from the drop down menu, select the field that you want to apply mapping to. The list of available fields includes any common fields in the Exabeam common information model or any custom fields.
In the space after the
equals to, define the mapping that you want to perform on the selected field when the conditions above are met.Note
You can use functional expressions in your mapping statements to further affect how the mapping will be applied to the selected field. For information about the available expressions you can include, see Expressions for Enrichment Mapping.
Note that in the equals to field, an entry enclosed in single quotes is treated as a string literal. An entry not enclosed in single quotes is treated as an expression.
If you want to add additional mapping on another field, click Add Map again to add another row and repeat the steps.
When you are satisfied with the conditions and the mapping you have defined for the enrichment rule, click Save. One of the following will happen:
If you are creating a new enrichment rule, it is created and appears in the table on the Enrichments page with a custom rule icon (
) and a status of Completed.If you are editing or duplicating an existing custom rule, your changes are saved and the updated rule is available in the table on the Enrichment page with a custom rule icon (
) and a status of Completed.
Tip
The syntax for your conditions and mapping are displayed in the Condition and Mapping section at the bottom of the dialog box. You can review them before saving.
To enable a new or cloned rule, find it in the table on the Enrichments page, click the Options menu (
) on the right, and select Enable.