Creating the Custom Enrichment Rule
  • 18 Jan 2023
  • 6 Minutes to read
  • Dark
    Light
  • PDF

Creating the Custom Enrichment Rule

  • Dark
    Light
  • PDF

The following rule types are available:

Using Square Brackets in the Rules

[ ] automatically resolves the names of the adapters and the fields as they appear in the Axonius application (Query Wizard) to internal Axonius names. You can use either format in the rules.

An adapter or field name within ‘[ ]’ will be searched for using ‘contains' and will be translated. For example, [Google Workspace] will be translated to 'google_mdm_adapter'.
Therefore the following are the same statements:

enrich 'users' with (*) on (source.mail == user.google_mdm_adapter.mail)
enrich 'users' with (*) on (source.mail == user.[Google Workspace].mail)

and

enrich 'devices' with (*) on (source.policy == device.[AWS].[Policies: Policy ARN])
enrich 'devices' with (*) on (source.policy == device.aws_adapter.user_attached_policies.policy_arn)

Using the and / or Operators and ( )

The and and or operators can be used to combine enrichement rules. This allows you to create more flexible rules.

The and operator requires all rules to return valid values.
The or operator requires only one of the rules to return a valid value.

The and / or operators are NOT case sensitive. Therefore, you can also use AND, And, OR, Or.

You can use parenthases ( ) to create nested rules that give you more control over the enrichment results. Expressions in the innermost parenthases are evaluated first, working out to the outermost parenthases.

For example, you can create enrichment rules, such as:

enrich 'users' with (*) on ((A or B or C) and (D or E))
enrich 'users' with (*) on (A or (B and C) or (D and E))
enrich 'users' with (*) on ((A) or (B and C) or ((D) and E))

Parentheses are NOT mandatory, but advisable. The query will be more readable.

AND has precedence over OR. For example: A or B and C or D is the same as A or (B and C) or D

Examples
The following are some examples of how and, or and parenthases can be used.

enrich 'devices' with (*) on (source.host_name = device.json_file_adapter.host_name or (source.mac == device.json_file_adapter.network_interfaces.mac and device.json_file_adapter.network_interfaces.ips in_net source.subnet))
enrich 'devices' with (field1,field2) on (source.host_name == device.json_file_adapter.host_name AND source.mac == device.json_file_adapter.network_interfaces.mac AND device.json_file_adapter.network_interfaces.ips in_net source.subnet)
enrich 'devices' with (field1,field2) on (source.host_name in device.json_file_adapter.host_name or source.mac == device.json_file_adapter.network_interfaces.mac and device.json_file_adapter.network_interfaces.ips in_net source.subnet)

Creating a Rule Based on a Field from a Specific Adapter

This rule will try to match the value of a specific field of a specific adapter with one of the values in the first column of the CSV. If there is a match, the asset is enriched.

The syntax of the rule is:

source.test_field operator asset_type.[Adapter Name].[adapter_field]

  • source. - Indicates that the field is in a CSV source file.
  • test_field - A variable. The column name in the CSV field used to identify which assets are enriched.
  • operator - One of the available operators. See Using the and / or Operators and ( ).
  • asset_type - A variable. The type of asset (device or user).
  • [Adapter Name] - A variable. The name of the adapter to which you will apply the rule as it appears in your system. This can be '*' to apply to all adapters. Must be enclosed in [ ].
  • [adapter_field] - A variable. The name of the field you want to enrich as it appears in your system. Aggregated fields can be used in Custom Enrichments. Must be enclosed in [ ].

For example, a full statement with this type of Rule:

enrich 'devices' with (Name,Email,Physical_Address) on (source.id == device.[AWS].[Account ID])

Which means: if the value in the id column in the CSV file that was uploaded is the same as the value in the AWS adapter Account ID field, then enrich the device with the values contained in the Name, Email and Physical_Address fields in the CSV file.

Note:

Make sure you use spaces between the sections of the rule, as shown here:

source.mail == user.[Google Workspace].[Email Address]

Creating a Rule Based on an Aggregated Field

This rule will try to match the value of an aggregated field with one of the values in the first column of the CSV. If there is a match, the asset is enriched.

The syntax of the Rule is:

source.test_field operator asset_type.specific_data.data.[aggregated_field]

  • source. - Indicates that the field is in a CSV source file.
  • test_field - A variable. The column name in the CSV field used to identify which assets are enriched.
  • operator - One of the available operators. See Using the and / or Operators and ( ).
  • asset_type - A variable. The type of asset (device or user).
  • specific_data.data - Indicates an aggregated field.
  • [aggregated_field] - A variable. The name of the aggregated field to which you will apply the rule as it appears in your system. Must be enclosed in [ ].

For example, a full statement with this type of rule:

enrich 'devices' with (Name,Email,Physical_Address) on (source.id == device.specific_data.data.[Account ID])

Which means: if the value in the id column in the CSV file is the same as the value in the aggregated field Account ID, then enrich the device with the values contained in the Name, Email and Physical_Address fields in the CSV file.

Note:

Make sure you use spaces between the sections of the rule, as shown here:

source.mail == user.[Google Workspace].[Email Address]

Creating a Rule Based on an Enforcement-Action Field

This rule will try to match the value of a field populated by an Enforcement Action with one of the values in the first column of the CSV. If there is a match, the asset is enriched.

The syntax of the rule is:

source.test_field operator asset_type.[EC: ec_field_name]

  • source. - Indicates that the field is in a CSV source file.
  • test_field - A variable. The column name in the CSV field used to identify which assets are enriched.
  • operator - One of the available operators. See Using the and / or Operators and ( ).
  • asset_type - A variable. The type of asset (device or user).
  • [EC: ec_field_name] - This whole part must be enclosed in [ ]. There must be a space between these two elements:
    • EC: - Indicates that the field is from an Enforcement Action.
    • ec_field_name - A variable. The name of the field in the Enforcement Action form to which you will apply the rule as it appears in your system.

For example, a full statement with this type of rule:

enrich 'devices' with (Name,Email,Physical_Address) on (source.id == device.[EC: Issue_ID])

Which means: if the value in the id column in the CSV file is the same as the value in the Enforcement Action field Issue_ID, then enrich the device with the values contained in the Name, Email and Physical_Address fields in the CSV file.

Note:

Make sure you use spaces between the sections of the rule, as shown here:

source.mail == user.[Google Workspace].[Email Address]

Creating a Rule Based on a Preferred Field

This rule will try to match the value of a preferred field with one of the values in the first column of the CSV. If there is a match, the asset is enriched.

The syntax of the rule is:

source.preferred_host_name_field operator asset_type.specific_data.data.[Preferred_Host_Name]

  • source. - Indicates that the field is in a CSV source file.
  • preferred_host_name_field - A variable. The column name in the CSV field used to identify which assets are enriched.
  • operator - One of the available operators. See Using the and / or Operators and ( ).
  • asset_type - A variable. The type of asset (device or user).
  • specific_data.data - Indicates an aggregated field.
  • [Preferred_Host_Name] - A variable. The name of the preferred field to which you will apply the rule as it appears in your system. Must be enclosed in [ ].

For example, a full statement with this type of Rule:

enrich 'devices' with (Name,Email,Physical_Address) on (source.preferred_host_name_field == specific_data.data.[Preferred_Host_Name])

Which means: if the value in the preferred_host_name_field column in the CSV file is the same as the value in the preferred aggregated field Preferred_Host_Name, then enrich the device with the values contained in the Name, Email and Physical_Address fields in the CSV file.

Note:

Make sure you use spaces between the sections of the rule, as shown here:

source.mail == user.[Google Workspace].[Email Address]

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.