Manage Custom Enrichment - Enrich Assets with CSV File

Manage Custom Enrichment - Enrich assets with CSV file adds or removes custom enrichment data contained in a CSV file or SQL Server table to or from assets, using the Custom Enrichment feature.

• Custom Enrichment is run on assets that match the results of the selected saved query and match the Enforcement Action Dynamic Value statement, if defined, or assets selected on the relevant assets page. Custom Enrichment is then performed on those asset results that match the rule in the enrichment statement.

• In the run history of this enforcement action:

  • The Successful count is the number of assets that the custom enrichment rule matched and therefore removed/added the custom enrichment data from/to those assets. For Remove custom enrichment, includes also those assets that are returned by the query and do not have custom enrichment even before running the action.
  • The Failed count is the number of assets that the custom enrichment rule did not match and therefore did not remove/add the custom enrichment data from/to those assets.

  Refer to Viewing Enforcement Set Run History to learn more about run results.

General Settings

Required Fields

These fields must be configured to run the Enforcement Set.

• Action type - Select whether to Add or Remove a custom enrichment to or from assets.
  • When Remove is selected, the custom enrichments are removed from all assets returned by the query selected. To ensure that the enrichment is removed from all assets, select a query that returns all assets for each asset module.

• Select file input method (default: Upload file) - Select one of the following methods to either upload a file or use a file saved in a storage system:
  • Upload file - Upload from your system a CSV file in the Custom Enrichment CSV File format only.
    • Under Select file input, click Upload file to browse for and upload a CSV file in Custom Enrichment CSV File format.
  • Select CSV adapter connection - To use a CSV file from a CSV adapter connection.
    • From the Select adapter connection dropdown, select the connection that contains the CSV file to be used.
    • Prerequisite: Make sure you have configured the relevant CSV file using a CSV adapter connection. Give a name to the connection (connection label) so that you can identify it in the dropdown list. Configure the file name, location and credentials required to access the file using the CSV adapter. These can be SMB, Azure, blob, Amazon S3 bucket, etc.
      
      Note:

      If you are uploading a file from an online storage location and you want to use this file only for custom enrichment, you must disable the Active connection setting on the CSV adapter connection. In this case, the CSV adapter connection will not fetch new assets.

      

  • Select SQL Server adapter connection - To use an SQL Server table from an SQL Server adapter connection.
    • From the Select adapter connection dropdown, select the connection that contains the SQL Server table to be used.
    • Prerequisite: Make sure you have configured the relevant SQL Server table using an SQL Server adapter connection. Give a name to the connection (connection label) so that you can identify it in the dropdown list. Configure the file name, location, and credentials required to access the file using the SQL Server adapter. These include SQL Server Host, SQL Server Port, SQL Server Database Name, SQL Server Table Name, and Database Type. Is Users Table must be disabled so that Axonius considers the data fetched from the specified table as device data. A table with Software Vulnerabilities data must contain a CVE ID field.

• Statement - Enter a custom enrichment statement. Learn how to write a Custom Enrichment statement. Custom fields can also be used in Custom Enrichment statements.

  • Syntax Helper - Use the Syntax Helper to get the correct field name. Under Adapter Fields, select the Adapter and Field Name from the dropdown lists, and then near the Field Name in Statement that is displayed, click . Then, paste the field name into the statement.

  

• Validate - Once you have completed entering a Custom Enrichment statement in the Statement box, you can click Validate for the system to automatically verify that the statement syntax is valid before running the Enrichment action.

  • If the statement syntax is correct, the following notification appears in green under the Statement box: Statement was validated successfully (see screen below).
  • If the statement syntax is incorrect, the following notification appears in red under the Statement box (also framed in red): Statement validation failed at followed by the location of the error and the error. In this case, correct the error and Validate again.

Additional Fields

These fields are optional.

• Write enriched values based on aggregated or custom data fields into EC artifacts adapter enrichment field (default: disabled) -
  • Enable this option to write enriched values, which are based on aggregated or custom data fields, into Enriched: field name under the EC Artifacts adapter.
    This option is useful when you want the results of Custom Enrichment to be treated like any other adapter, meaning that the enriched field values in the EC Artifacts adapter are added as values to aggregated fields of the same name. This means that Queries running on aggregated fields treat the enriched value like any other aggregated field value.
  • When this option is disabled, enrichment values, which are based on aggregated or custom data fields, are written to new enrichment fields on the asset in the format Common Enrichment: field name.