Creating Custom Enrichments

Use Custom Enrichment to enrich the asset data received from adapters and add columns (fields or aggregated field values) containing additional useful information. This allows you to add a large number of custom or proprietary fields.

You can create Custom Enrichments using the Manage Custom Enrichment - Enrich assets with CSV file Enforcement Action or from System Settings.

To use Custom Enrichment (via an Enforcement Action or System Settings), you need to create a statement which describes how to add information to an asset. The statements are built using syntax similar to SQL. In addition, you need to supply a CSV ENUM file which contains the columns that will be added to the asset.

See Creating the Custom Enrichment CSV File on how to create the CSV file.

It is recommended to use the Enforcement Action, as it adds powerful scheduling and customization capabilities to Custom Enrichment.

Creating the Statement

The general format of an Enrichment Statement is:

enrich Type with Fields on Rule

The first part of the enrichment statement (enrich 'Type' with 'Fields' ) determines which data from the CSV is added to the asset. The Rule determines which specific assets are enriched.

• In the Type field, list the asset type enclosed in single quotes. For example, 'devices'.
• In the Fields field, list the names of the columns in the CSV file, comma separated in parentheses. For example, (fieldA,fieldB). You can also use a wildcard '*' in the Fields field instead of listing all of the columns in the CSV file. The wildcard represents all the columns in the same row. Note that for list fields in the CSV file, only unique values are used to enrich assets.
• In the Rule field, enter the rule that defines when the Enrichment will be used. Learn how to create a Custom Enrichment rule.

Viewing the Results

Once you save the Custom Enrichment, the information is added to the asset in an existing Axonius field or in a new field.
New fields created by Custom Enrichments are labeled with one of the following:

• Enrichment - When enriched based on a specific adapter.
• Common Enrichment - When enriched based on an aggregated field.

This is the case regardless of whether the enrichments are created in System Settings or using the Manage Custom Enrichment - Enrich assets with CSV file Enforcement Action (configured with the default settings).

Each Enrichment field can contain more than one value as a list of values, that is if a certain asset answers to more than one rule, it is enriched with them all.

You can use a Query to retrieve the information added to the asset using Custom Enrichment.
The following screen shows a Query that retrieves devices with an Enrichment field (based on a specific adapter).

The following screens show a query that retrieves devices with a Common Enrichment field (based on an aggregated adapter; created using System Settings or the Manage Custom Enrichment - Enrich assets with CSV file Enforcement Action with the default settings), and the Asset Profile page of one of the devices returned by this query showing the enriched field and its values.

When Custom Enrichment based on an aggregated field is created using the Manage Custom Enrichment - Enrich assets with CSV file Enforcement Action with the option enabled to write enriched values to the EC Artifacts adapter, enriched field values from that adapter are added to already existing aggregated fields. This is because values of fields from all adapters in the system (including the EC Artifacts adapter), which share the same name, are aggregated into a common field containing all the values.

In the following example, the Query returns assets with the Email Address value, regardless of whether the value came from the EC Artifacts adapter (enriched) or any other adapter.