Manage Custom Enrichment - Enrich Assets with CSV File

Manage Custom Enrichment - Enrich assets with CSV file adds or removes Custom Enrichment data contained in a CSV file or SQL Server table to or from assets, using the Custom Enrichment feature.

Custom Enrichment runs the Enrichment Statement on assets that are the result of the selected query or on assets selected on the relevant assets page.
In the Run History of this Enforcement Action, under Affected Assets:
- Successful - The number of assets that the Custom Enrichment rule matched and therefore removed/added the Custom Enrichment data from/to those assets. For Remove Custom Enrichment, includes also those assets that are the result of the selected query but do not have Custom Enrichment even before running the action.
- Failed or Additional- The number of assets that resulted from the selected query but did not match the Custom Enrichment rule and therefore did not remove/add the Custom Enrichment data from/to those assets.
  - Failed - When the Show assets that did not meet the criteria under 'additional' instead of 'failed' option is disabled (the default).
  - Additional- When the option is enabled.
Refer to Viewing Enforcement Set Run History to learn more about run results.

See Creating Enforcement Sets to learn more about adding Enforcement Actions to Enforcement Sets.

Note:

Not all asset types are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.

Note:

To enrich all assets, use a query that returns all assets for each asset module. For example, for the Device module, use the All Devices query, and for the User module, use the All Users query.

Required Fields

These fields must be configured to run the Enforcement Set.

Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.

Action type - Select whether to Add or Remove a custom enrichment to or from assets.
- When Remove is selected, the custom enrichments are removed from all assets returned by the query selected. To ensure that the enrichment is removed from all assets, select a query that returns all assets for each asset module.

Select file input method (default: Upload file) - Select one of the following methods to either upload a file or use a file saved in a storage system:
- Upload file - Upload from your system a CSV file in the Custom Enrichment CSV File format only.
  - Under Select file input, click Upload file to browse for and upload a CSV file in Custom Enrichment CSV File format.
- Select CSV adapter connection - To use a CSV file from a CSV adapter connection.
  - From the Select adapter connection dropdown, select the connection that contains the CSV file to be used.
  - Prerequisite: Make sure you have configured the relevant CSV file using a CSV adapter connection. Give a name to the connection (connection label) so that you can identify it in the dropdown list. Configure the file name, location and credentials required to access the file using the CSV adapter. These can be SMB, Azure, blob, Amazon S3 bucket, etc.
    
    Note:
    
    If you are uploading a file from an online storage location and you want to use this file only for custom enrichment, you must disable the Active connection setting on the CSV adapter connection. In this case, the CSV adapter connection will not fetch new assets.
- Select SQL Server adapter connection - To use an SQL Server table from an SQL Server adapter connection.
  - From the Select adapter connection dropdown, select the connection that contains the SQL Server table to be used.
  - Prerequisite: Make sure you have configured the relevant SQL Server table using an SQL Server adapter connection. Give a name to the connection (connection label) so that you can identify it in the dropdown list. Configure the file name, location, and credentials required to access the file using the SQL Server adapter. These include SQL Server Host, SQL Server Port, SQL Server Database Name, SQL Server Table Name, and Database Type. Is Users Table must be disabled so that Axonius considers the data fetched from the specified table as device data. A table with Software Vulnerabilities data must contain a CVE ID field.

Note:

If you are uploading a file from an online storage location and you want to use this file only for custom enrichment, you must disable the Active connection setting on the SQL Server adapter connection (as in the CSV adapter connection screen above). In this case, the SQL Server adapter connection will not fetch new assets.

Statement - Enter a custom enrichment statement. Learn how to write a Custom Enrichment statement. Custom fields can also be used in Custom Enrichment statements.
- Syntax Helper - Use the Syntax Helper to get the correct field name. Under Adapter Fields, select the Adapter and Field Name from the dropdown lists, and then near the Field Name in Statement that is displayed, click . Then, paste the field name into the statement.

Note:

Complex fields are NOT supported in any rule types.
The Adapter Connection Label field is not supported. Instead, you can use the Last Fetched From Connection Label field, which is set with the value of the existing connection label of the connection.

Validate - Once you have completed entering a Custom Enrichment statement in the Statement box, you can click Validate for the system to automatically verify that the statement syntax is valid before running the Enrichment action.
- If the statement syntax is correct, the following notification appears in green under the Statement box: Statement was validated successfully (see screen below).
- If the statement syntax is incorrect, the following notification appears in red under the Statement box (also framed in red): Statement validation failed at followed by the location of the error and the error. In this case, correct the error and Validate again.

ValidatedStatement

Additional Fields

These fields are optional.

Write enriched values based on aggregated or custom data fields into EC artifacts adapter enrichment field (default: disabled) -
- Enable this option to write enriched values, which are based on aggregated or custom data fields, into Enrichment: field name under the EC Artifacts adapter. If a field with that name already exists (before enabling this option), this option will work only after you delete the existing field.
  This option is useful when you want the results of Custom Enrichment to be treated like any other adapter, meaning that the enriched field values in the EC Artifacts adapter are added as values to aggregated fields of the same name. This means that Queries running on aggregated fields treat the enriched value like any other aggregated field value.
- When this option is disabled, enrichment values, which are based on aggregated or custom data fields, are written to new enrichment fields on the asset in the format Common Enrichment: field name.
Show assets that did not meet the criteria under 'additional' instead of 'failed' (default: disabled) - Use this option to determine in what category assets that match the Enforcement Set query but do not match the enrichment criteria are displayed in the Run History under Affected Assets:
- Additional - When this option is enabled.
- Failed - When this option is disabled.
Interpret a value with semicolons as a list of values (default: disabled) -
- Enable this option to interpret a field in the CSV file with embedded semicolons as a multiple value list field with semicolon delimiters.
- When this option is disabled, semicolons embedded in the field value are considered as characters in the string.

For more details about other Enforcement Actions available, see Action Library.