The documentation on this is the pitts.
I have a few fundamental questions:
1) at what point is data enriched? when a signature fires? when a query is run?
2) I used 'Source User' as the lookup field and the results of a query as the 'Enrichment'. The query runs and ostensibly all is ok. Only problem: none of my enrichment data shows up anywhere in the system. Does this feature even work? I followed the docs, if you can call them that. The documentation is very, very, very bad and is not appropriate for a product with this price tag.
Sorry for venting, but getting anything to work right with this product usually involves me gessing my way through the UI, which is often counterintuitive. Clicking on help is a waste of time. The help was written by somebody who doesn't understand the system. It's as if they were describing what they saw on the screen without knowing what any of it did.
So I think to myself: I'll use the API, then I'll be able to make things work. What API. There is no API. It's the UI or the highway.
Maybe the guy assigned to our account can help. Naw, I know the product better than he does.
Me frustrated? Heck yeah!
Sorry to hear about your frustration with McAfee ESM. Sounds like you have some deeper issues than can likely address on this forum. If you will PM me your contact information, I think I can get you the assistance you need.
We have a Data Enrichment Rule that runs against a CSV file of Terminated Users, we had to manipulate the format to find what worked (in the CSV).
We have it scheduled to run every day at a certain time, and it updates a custom field with the term "Former" for a terminated employee.
We then have an Alarm that triggers for activity by a user that has "Former" in this particular custom field.
We plan to expand this to include "Service Accts" "Prviliged Users" etc...
The Data Enrichment task is defined on the ESM Properties, under Data Enrichment.
The Source is the CSV on a CIFS Share
The Destination is all of our Windows Servers (on 8 different receivers) with a Lookup field of Source User and an Enrichment Field of "Employee_Status" mapped to Custom Field 9
The thing to be careful on is which Custom Field you are trying to use, to make sure it will not be over-written by something else.
There are very few Custom Fields that are actually usable, the system uses most of the others, not sure why they call them custom.
You can look in the Help for "Predefined custom types table" to see the current mappings.