| Source kind | Enrichment type. Depending on the selected enrichment type, advanced settings that will also need to be completed will be displayed. Available types of enrichment: constantThis type of enrichment is used when a constant needs to be added to an event field. Available enrichment type settings are listed in the table below. Available enrichment type settings 
| Setting | Description |  
| Constant | The value to be added to the event field. Maximum length of the value: 255 Unicode characters. If you leave this field blank, the existing event field value is removed. |  
| Target field | The KUMA event field that you want to populate with the data. |  If you are using the event enrichment functions for extended schema fields of String,Number, orFloattype with a constant, the constant is added to the field. If you are using the event enrichment functions for extended schema fields of Array of strings,Array of numbers, orArray of floatstype with a constant, the constant is added to the elements of the array.dictionaryThis type of enrichment is used if you need to add a value from the dictionary of the Dictionary type. Available enrichment type settings are listed in the table below. Available enrichment type settings 
| Setting | Description |  
| Dictionary name | The dictionary from which the values are to be taken. |  
| Key fields | Event fields whose values are to be used for selecting a dictionary entry. To add an event field, click Add field. You can add multiple event fields. |  If you are using event enrichment with the dictionary type selected as the Source kind setting, and an array field is specified in the Key enrichment fields setting, when an array is passed as the dictionary key, the array is serialized into a string in accordance with the rules of serializing a single value in the TSV format. Example: The Key fields setting of the enrichment uses the SA.StringArrayOneextended schema field. TheSA.StringArrayOneextended schema field contains the values"a","b","c". The following values are passed to the dictionary as the key:['a','b','c']. If the Key enrichment fields setting uses an extended schema array field and a regular event schema field, the field values are separated by the |character when the dictionary is queried. Example: The Key enrichment fields setting uses the SA.StringArrayOneextended schema field and theCodestring field. TheSA.StringArrayOneextended schema field contains the values"a","b","c", and theCodestring field contains themyCodesequence of characters. The following values are passed to the dictionary as the key:['a','b','c']|myCode.tableThis type of enrichment is used if you need to add a value from the dictionary of the Table type. Available enrichment type settings are listed in the table below. Available enrichment type settings 
| Setting | Description |  
| Dictionary name | The dictionary from which the values are to be taken. |  
| Key fields | Event fields whose values are to be used for selecting a dictionary entry. To add an event field, click Add field. You can add multiple event fields. |  
| Mapping | Event fields for data transfer: Dictionary field specifies dictionary fields from which data is to be transmitted. The available fields depend on the selected dictionary resource.KUMA field specifies event fields to which data is to be transmitted. For some of the selected fields (*custom*and*flex*), in the Label column, you can specify a name for the data written there.
 |  The first field in the table (Dictionary field) is taken as the key with which the fields selected from the event as key fields are matched (KUMA field). As the key in the Dictionary field, you must select an indicator of compromise by which the enrichment is to be performed, for example, IP address, URL, or hash. In the rule, you must select the event field that corresponds to the selected indicator of compromise in the dictionary field. If you want to select multiple key fields, you can specify them using |as a separator (when specifying in the web interface or importing as a CSV file), for example,<IP address>|<user name>. You can add new table rows or delete table rows. To add a new table row, click Add new element. To delete a row in the table, click the  button.eventThis type of enrichment is used when you need to write a value from another event field to the current event field. Available enrichment type settings are listed in the table below. Available enrichment type settings 
| Setting | Description |  
| Target field | The KUMA event field that you want to populate with the data. |  
| Source field | The event field whose value is written to the target field. |  Clicking  opens the Conversion window, in which you can click Add conversion to create rules for modifying the source data before writing them to the KUMA event fields. You can reorder and delete created rules. To change the position of a rule, click  next to it. To delete a rule, click  next to it. Available conversions Conversions are modifications that are applied to a value before it is written to the event field. You can select one of the following conversion types from the drop-down list: entropy is used for converting the value of the source field using the information entropy calculation function and placing the conversion result in the target field of the float type. The result of the conversion is a number. Calculating the information entropy allows detecting DNS tunnels or compromised passwords, for example, when a user enters the password instead of the login and the password gets logged in plain text.lower—is used to make all characters of the value lowercaseupper—is used to make all characters of the value uppercaseregexp – used to convert a value using a specified RE2 regular expression. When you select this type of conversion, a field is displayed in which you must specify the RE2 regular expression.substring is used to extract characters in a specified range of positions. When you select this type of conversion, the Start and End fields are displayed, in which you must specify the range of positions.replace—is used to replace specified character sequence with the other character sequence. When you select this type of conversion, the following fields are displayed:Replace chars specifies the sequence of characters to be replaced.With chars is the character sequence to be used instead of the character sequence being replaced.
trim removes the specified characters from the beginning and from the end of the event field value. When you select this type of conversion, the Chars field is displayed in which you must specify the characters. For example, if a trim conversion with the Micromonvalue is applied toMicrosoft-Windows-Sysmon, the new value issoft-Windows-Sys.append appends the specified characters to the end of the event field value. When you select this type of conversion, the Constant field is displayed in which you must specify the characters.prepend prepends the specified characters to the beginning of the event field value. When you select this type of conversion, the Constant field is displayed in which you must specify the characters.replace with regexp is used to replace RE2 regular expression results with the specified character sequence. When you select this type of conversion, the following fields are displayed:Expression is the RE2 regular expression whose results you want to replace.With chars is the character sequence to be used instead of the character sequence being replaced.
Converting encoded strings to text:decodeHexString—used to convert a HEX string to text.decodeBase64String—used to convert a Base64 string to text.decodeBase64URLString—used to convert a Base64url string to text.
 When converting a corrupted string or if conversion error occur, corrupted data may be written to the event field. During event enrichment, if the length of the encoded string exceeds the size of the field of the normalized event, the string is truncated and is not decoded. If the length of the decoded string exceeds the size of the event field into which the decoded value is to be written, the string is truncated to fit the size of the event field.Converting the IP address to the IPv4 format:ipDecimalToDotted converts an IP address in decimal format to an IP address in IPv4 format, in which octets are separated by dots. ipHexToDotted converts a hexadecimal IP address to a decimal IP address in IPv4 format, in which octets are separated by dots.
 Conversions when using the extended event schema Whether or not a conversion can be used depends on the type of extended event schema field being used: For an additional field of the Stringtype, all types of conversions are available.For fields of the NumberandFloattypes, the following types of conversions are available: regexp, substring, replace, trim, append, prepend, replaceWithRegexp, decodeHexString, decodeBase64String, and decodeBase64URLString.For fields of Array of strings,Array of numbers, andArray of floatstypes, the following types of conversions are available: append and prepend.
  When using enrichment of events that have event selected as the Source kind and the extended event schema fields are used as arguments, the following special considerations apply: If the source extended event schema field has the Array of stringstype, and the target extended event schema field has theStringtype, the values are written to the target extended event schema field in TSV format.Example: the SA.StringArrayextended event schema field contains values:"string1","string2","string3". An event enrichment operation is performed. The result of the event enrichment operation is written to theDeviceCustomString1extended event schema field. TheDeviceCustomString1extended event schema field contains values:["string1", "string2", "string3"].If the source and target extended event schema fields have the Array of stringstype, values of the source extended event schema field are added to the values of the target extended event schema field, and the "," character is used as the delimiter.Example: The SA.StringArrayOnefield of the extended event scheme contains the["string1","string2","string3"]values, and theSA.StringArrayTwofield of the extended event scheme contains the["string4", "string5", "string6"]values. An event enrichment operation is performed. The result of the event enrichment operation is written to theSA.StringArrayTwofield of the extended event scheme. TheSA.StringArrayTwoextended event schema field contains values:["string4", "string5", "string6", "string1", "string2", "string3"].
templateThis type of enrichment is used when you need to write the result of processing Go templates into the event field. We recommend matching the value and the size of the field. Available enrichment type settings are listed in the table below. Available enrichment type settings 
| Setting | Description |  
| Template | The Go template. Event field names are passed in the {{.EventField}}format, whereEventFieldis the name of the event field from which the value must be passed to the script, for example,{{.DestinationAddress}} attacked from {{.SourceAddress}}. |  
| Target field | The KUMA event field that you want to populate with the data. |  If you are using an enrichment of events in which the Source kind is template, and the target field has the Stringtype, and the source field is an extended event schema field containing an array of strings, you can use one of the following examples for the template: To convert the data in an array field in a template into the TSV format, use the toStringfunction, for example: template {{toString .SA.StringArray}}
 Required setting. |