Custom Enrichment
  • 19 May 2022
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Custom Enrichment

  • Dark
    Light
  • PDF

Custom Enrichment Overview

Use Custom Enrichment to enrich the asset (device or user) data received from adapters, and add columns containing additional useful information. This allows you to add a large number of custom or proprietary fields.

To use Custom Enrichment, you need to create a statement which describes how to add information to an asset (device or user). The statements are built using a syntax similar to SQL. In addition, you have to supply a CSV ENUM file which contains the columns that will be added to the asset.

Creating the Statement

The statement is of the format enrich 'Type' with 'Field' on "Rule'.

EnrichmentStatementNew.png

  • In the Type field list the asset type - either 'devices' or 'users'.
  • In the Fields field list the names of the columns in the CSV file. You can also use a wildcard '*' in the Fields field instead of listing all of the columns in the CSV file. The wildcard represents all the columns in the same row.
  • In the Rule field enter the rule when the Enrichment will be used.

Creating the Rule

The structure of the rule field is:
CustomRuleStrucutre.png

  • Source.id - The name column in the CSV field that you are supplying that you want to enrich.

  • Operator:

    • Equals represented by '=='
    • Case Insensitive Equals represented by ‘=’
    • Contains represented by 'in'.
    • Network range represented by 'in_net'
  • [Adapter Name] - the name of the adapter to which you will apply the rule as it appears in your system. This can be '*' to apply to all adapters.

  • [field] - The name of the field you want to enrich as it appears in your system.

Network Range
You can represent a range of IP addresses using the 'in_net' operator.
For example:
enrich ‘devices with (*) on (device.[AWS].[Network Interfaces: IPs] in_net source.network)
source.network must list a specific network range for instance 10.0.0.0/24

An example of a rule field is

enrich 'devices' with (Name,Email,Physical_Address) on (source.id == device.[AWS].[Account ID])

Which means: if the value in the source.id column in the CSV file I uploaded is the same as the value in the selected adapter ID field, then add the enrichment information contained in the CSV file.

An example of this rule using wildcards is:

enrich 'devices' with (*) on (source.id == device.[AWS].[Account ID])

Note:
  1. Make sure you use spaces between the sections of the rule, as shown here:
    source.mail == user.[Google Workspace].[Email Address]

Using Square Brackets in the Rules

[] automatically resolves the names of the adapters and the fields as they appear in the Axonius application (Query Wizard) to internal Axonius names. You can use either format in the rules.
An adapter or field name within ‘[]’ will be searched for using ‘contains' and will be translated for instance - [Google Workspace] will be translated to 'google_mdm_adapter'.
Therefore the following are the same statements:
enrich 'users' with (*) on (source.mail == user.google_mdm_adapter.mail)
enrich 'users' with (*) on (source.mail == user.[Google Workspace].mail)

enrich 'devices' with (*) on (source.policy == device.[AWS].[Policies: Policy ARN])
enrich 'devices' with (*) on (source.policy == device.aws_adapter.user_attached_policies.policy_arn)

Creating the CSV File

The CSV file is a file containing headers and values. The headers are the column names as they will appear in the Axonius data, when the first column contains the field name which is part of the rule.
Examples of the other fields are User name, Email address and Physical address.

Here is a sample CSV file.

SAmpleCSVEnrichmentFile.png

To Create the Custom Enrichment

  1. From System Settings, choose the Global Settings tab.
  2. In the Custom Enrichment Section, toggle on Enable custom enrichment to activate Custom Enrichment.

CustomEnrichment(1)

  1. Copy the rule you wrote to the Enrichment statement field,

  2. Select Choose file to browse for and upload the CSV file.

  3. Select + to add another Custom Enrichment.

    • You can add more than one Custom Enrichment file, The files are dependent on each other, and you can change the order of the enrichment statements.
  • Select Save at the bottom of the page, the system validates the statement and the CSV file.
  • The Custom Enrichment runs the first time you create it after you select Save, and then every 60 minutes. If you make changes to the Custom Enrichment, it runs again. If the enrichment CSV file was updated but the enrichment statement was not changed, the enrichment will not run immediately and will run during the next hourly cycle. It also runs in the post correlation phase of each global discovery cycle.

Viewing the Results

Once you save the Custom Enrichment, the information is added to the device, and can be retrieved using a query. The information that was added appears with a prefix of Enrichment:
EnrichmentEG.png

You can also see this information on the Device Profile Page.
DEviceProfileeg.png

Removing a Custom Enrichment

When you remove an enrichment, all the information it added is removed.



What's Next
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.