Showing results for 
Show  only  | Search instead for 
Did you mean: 

Data Enrichment

The documentation on this is the pitts.

I have a few fundamental questions:

1) at what point is data enriched? when a signature fires? when a query is run?

2) I used 'Source User' as the lookup field and the results of a query as the 'Enrichment'. The query runs and ostensibly all is ok. Only problem: none of my enrichment data shows up anywhere in the system. Does this feature even work? I followed the docs, if you can call them that. The documentation is very, very, very bad and is not appropriate for a product with this price tag.

Sorry for venting, but getting anything to work right with this product usually involves me gessing my way through the UI, which is often counterintuitive. Clicking on help is a waste of time. The help was written by somebody who doesn't understand the system. It's as if they were describing what they saw on the screen without knowing what any of it did.

So I think to myself: I'll use the API, then I'll be able to make things work.  What API. There is no API.  It's the UI or the highway.

Maybe the guy assigned to our account can help. Naw, I know the product better than he does.

Me frustrated? Heck yeah!

4 Replies
Level 13
Report Inappropriate Content
Message 2 of 5

Re: Data Enrichment

Hello Laughingal,

Sorry to hear about your frustration with McAfee ESM.  Sounds like you have some deeper issues than can likely address on this forum.  If you will PM me your contact information, I think I can get you the assistance you need.

Best regards,


Level 12
Report Inappropriate Content
Message 3 of 5

Re: Data Enrichment

We have a Data Enrichment Rule that runs against a CSV file of Terminated Users, we had to manipulate the format to find what worked (in the CSV).

We have it scheduled to run every day at a certain time, and it updates a custom field with the term "Former" for a terminated employee.

We then have an Alarm that triggers for activity by a user that has "Former" in this particular custom field.

We plan to expand this to include "Service Accts" "Prviliged Users" etc...

Level 9
Report Inappropriate Content
Message 4 of 5

Re: Data Enrichment

Where do you have the Data Enrichment setup on?

I have found in my testing that it did not work when setup to the ESM, when I set it up on each of my receivers it started to work.

Level 12
Report Inappropriate Content
Message 5 of 5

Re: Data Enrichment

The Data Enrichment task is defined on the ESM Properties, under Data Enrichment.

The Source is the CSV on a CIFS Share

The Destination is all of our Windows Servers (on 8 different receivers) with a Lookup field of Source User and an Enrichment Field of "Employee_Status" mapped to Custom Field 9

The thing to be careful on is which Custom Field you are trying to use, to make sure it will not be over-written by something else.

There are very few Custom Fields that are actually usable, the system uses most of the others, not sure why they call them custom.

You can look in the Help for "Predefined custom types table" to see the current mappings.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community