cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

It's there any method to data enrichment using csv file?

Jump to solution

Hi all,

ESM/ERC Combox box running 10.2 here.

I'm trying something that's new for me, It's there any method to data enrichment using csv file?...someone knows some procedure

 

Thanks in advance

 

 

 

1 Solution

Accepted Solutions

Re: It's there any method to data enrichment using csv file?

Jump to solution

Hi 

 

I solved it using a mysql database, using Data Enrichment option, i share my configuration 

 

my table only have 2 fields

 

1.- Select system properties -> data Enrichment

 

2.-Main folder

    Enrichment name =  <some name>

    Enable = true

   Lookup type = String

  Enrichment type = string

   Pull frequency = Daily at specified time

    Daily trigger time Hour=1 minute = 0

 

2.-Source folder

Type  =  Mysql

Host =  your host

Port = 3306 its mysql default port

DbName =  your dbname

Username =  you user

Password =  ********

 

3.-Query folder

 Query

 

select field1, field2 from table

 

clilc test  if all by ok appears some windows with  your data like this

 

 

SP =Spain
US=USA
MX=Mexico

Note: Case Sensitive it's very important

4.-Query folder

Select add --

Select the data source where you like enrichment data

Select de Lookup field in my caso host

Select de enrichment field  in my case i used command

Clic ok

Clic Finish

Clic Write

Select your enrichment source and clic en run nom button

 

I hope it's help you

 

 

 

 

 


7 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 8

Re: It's there any method to data enrichment using csv file?

Jump to solution

So my general rule around data enrichment is it normally breaks database normal form conventions and best practices. In general the only time it is advisable is if what you are enriching against often changes.

So for example enriching username (first/last name) into a event using an email address is extremely low value, as the mapping is not likely to change.

But... enriching MAC address from IP address in a dynamic IP environment, could possibly be of some benefit.

Brent

Re: It's there any method to data enrichment using csv file?

Jump to solution

Hi.

I've the same doubt. If I want to enrich events with static information, like:

SP -> SPAIN

USA -> United State of America

UK -> United Kingdom

How can we do that?

Thanks

 

Re: It's there any method to data enrichment using csv file?

Jump to solution

Hi 

 

I solved it using a mysql database, using Data Enrichment option, i share my configuration 

 

my table only have 2 fields

 

1.- Select system properties -> data Enrichment

 

2.-Main folder

    Enrichment name =  <some name>

    Enable = true

   Lookup type = String

  Enrichment type = string

   Pull frequency = Daily at specified time

    Daily trigger time Hour=1 minute = 0

 

2.-Source folder

Type  =  Mysql

Host =  your host

Port = 3306 its mysql default port

DbName =  your dbname

Username =  you user

Password =  ********

 

3.-Query folder

 Query

 

select field1, field2 from table

 

clilc test  if all by ok appears some windows with  your data like this

 

 

SP =Spain
US=USA
MX=Mexico

Note: Case Sensitive it's very important

4.-Query folder

Select add --

Select the data source where you like enrichment data

Select de Lookup field in my caso host

Select de enrichment field  in my case i used command

Clic ok

Clic Finish

Clic Write

Select your enrichment source and clic en run nom button

 

I hope it's help you

 

 

 

 

 


Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 5 of 8

Re: It's there any method to data enrichment using csv file?

Jump to solution

Hi,

using Enrichment could be very helpful

but you need to check that it's not erasing any fields..

i did a enrichment for Full name of Source user and then i noticed the Field Destination User was Not working.

THen i needed to play around with the "Index"

so just be careful.

 

Best regards 👍👍👍

David.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 6 of 8

Re: It's there any method to data enrichment using csv file?

Jump to solution

@David1111 Did you happen to follow this guide? https://community.mcafee.com/t5/Documents/SIEM-Foundations-Implement-Enrichment-to-Pull-in-Full-User...

I really wish McAfee would update or simply remove this guide.

I have found countless customers that followed this and not understood that by doing this you will lose a lot of the information in packets with 2 users, such as someone being added to the Domain Admin group, and it is not entirely obvious because of how the database fields are setup in the NitroDB. It ends up being discovered months later when users being added to groups correlation rules, just stop firing all together.

Brent
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 7 of 8

Re: It's there any method to data enrichment using csv file?

Jump to solution

WOW brenta your so so right!.

I feel a lot, that McAfee doesn't invest in User Experience in the McAfee SIEM and in there guides...

 

Best Regards👍👍👍

David.

Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 8 of 8

Re: It's there any method to data enrichment using csv file?

Jump to solution

In the event someone finds this thread encountering the error described above, McAfee has published a KB on this issue. 

https://kc.mcafee.com/corporate/index?page=content&id=KB88982

Brent
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community