Creating Custom Enrichments

Use Custom Enrichment to enrich the asset (device or user) data received from adapters and add columns containing additional useful information. This allows you to add a large number of custom or proprietary fields.

The Custom Enrichment - Enrich assets with CSV file Enforcement Action adds powerful scheduling and customization capabilities to Custom Enrichment.

To use custom enrichment, you need to create a statement which describes how to add information to an asset (device or user). The statements are built using a syntax similar to SQL. In addition, you need to supply a CSV ENUM file which contains the columns that will be added to the asset.

See Creating the Custom Enrichment CSV File on how to create the CSV file.

Creating the Statement

The general format of an Enrichment Statement is:

enrich Type with Fields on Rule

• In the Type field, list the asset type (device or user).
• In the Fields field, list the names of the columns in the CSV file. You can also use a wildcard '*' in the Fields field instead of listing all of the columns in the CSV file. The wildcard represents all the columns in the same row. Note that for list fields in the CSV file, only unique values will be used to enrich assets.
• In the Rule field, enter the rule when the Enrichment will be used.

The first part of the enrichment statement (enrich 'Type' with 'Field' ) determines which data from the CSV is added to the asset. The Rule determines which specific assets are enriched.

Creating the Rule

See the following about how to create the available rule types:

• Field from a Specific Adapter
• Aggregated field
• Enforcement Action field
• Preferred field

Creating the Custom Enrichment

After creating the CSV file and the Enrichment Statement, create the Custom Enrichment in System Settings.

To create a Custom Enrichment

1. From System Settings, choose the Global Settings tab.

2. In the Custom Enrichment Section, toggle on Enable custom enrichment to activate Custom Enrichment.

   

3. Copy the rule you wrote to the Enrichment statement field.

4. Choose the location of the CSV file. You can either upload a file from your system, or use a file saved in a storage system.

   • To upload a file from your system

     1. From the Select file input method drop down choose Upload file.
     2. Select Choose file to browse for and upload the CSV file.

     

   • To use a file from an online storage location
     

     NOTE

     If you are uploading a file from an online storage location and you want to use this file only for custom enrichment, you must disable the Active Connection setting on the CSV adapter connection.

     

     • Axonius uses the capabilities of the CSV adapter to use a CSV file from a storage location.
     • Prerequisite: Make sure you have configured the relevant CSV file using a CSV adapter connection. Give a name to the connection (connection label) so that you can identify it in the dropdown list.

     1. Configure the file name, location and credentials required to access the file using the CSV adapter, these can be SMB, Azure, blob, Amazon S3 bucket etc.

     2. From the Select file upload method drop down choose Select CSV adapter connection.

        

     3. From the Select adapter connection dropdown, select the connection that contains the file to be used.
        

5. Do one of the following:

   • Select + to add another Custom Enrichment. You can add more than one Custom Enrichment. They are dependent on each other, and you can change the order of the enrichment statements.
   • Select Save at the bottom of the page, the system validates the statement and the CSV file.

The Custom Enrichment runs the first time you create it after you click **Save**, and then every 60 minutes. If you make changes to the Custom Enrichment, it runs again immediately. If the enrichment CSV file was updated but the enrichment statement was not changed, the enrichment will not run immediately and will run during the next hourly cycle. It also runs in the post-correlation phase of each global discovery cycle.

Viewing the Results

Once you save the Custom Enrichment, the information is added to the device, and can be retrieved using a query. The information that was added appears with a prefix of Enrichment. Each field can contain more than one value as a list of values, that is if a certain asset answers to more than one rule it will be enriched with them all.

You can also see this information on the Device Profile Page.

NOTE

Fields created by Custom Enrichments are labeled with one of the following:

• Enrichment - when enriched based on a specific adapter.
• Common Enrichment - when enriched based on a aggregated field.
• EC - when enriched based on the results of an Enforcement Action run.
• Preferred Enrichment - when enriched based on a preferred field.

Removing a Custom Enrichment

When you remove an enrichment, all the information it added is removed.

To remove a Custom Enrichment

1. In System Settings, go to the Custom Enrichment section of the General Settings tab.

2. Click the small x to the right of the Enrichment you want to remove.