cancel
Showing results for 
Search instead for 
Did you mean: 

Data Enrichment

Greetings folks!

We are looking to leverage the data enrichment feature within ESM to aid in detecting 'special' events, but first a couple questions.

Is there a limitation to the number of entries a data enrichment file can contain?

Does the data enrichment support regex and/or CIDR notation?

Thanks in advance,

JM

3 Replies

Re: Data Enrichment

There is no limit to the number of entries a data enrichment file can contain. Depending on your use case, the file either needs to contain a single list of values, or in the format of lookup=enrichment. The lookup value would be the value contained in the event, such as the Source IP. The enrichment value is the value you want to add to a field in the event, such as a data center location. Your file would need to look like this

10.1.1.1=Data Center 1

10.1.1.2=Data Center 2

For IP based enrichment, CIDR notation is supported, but regular expressions are not supported unless you are using regular expression based enrichment. Regular expression based enrichment allows you to apply a regex to an event field and enrich the event with a staitc value or the returned match from the regex.

Re: Data Enrichment

I have a file in the format which is an IP lookup -> string literal enrichment definition:

1.2.3.4=BotNetCCHost

2.3.4.5=BotNetCCHost

3.4.5.6=BotNetCCHost

But when I try to run the data enrichment I get an error as follows:

IT Pool_2013-10-13_02-15-23.png

Any help on this?

Highlighted

Re: Data Enrichment

Mike,

I assume that CIDR notation is supported when the enrichment lookup type is "32 bit IP Range" and the input file format is then:

a.b.c.d/nn=string value

This is on 9.6MR7.

cheers,

Andrew

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community