Configuring the enrichment of collectors with assets

If asset enrichment is performed on each collector, asset data (UUID, IP address, FQDN) has to be sent to each collector. This can significantly complicate and slow down the processing of data by collectors.

You can configure the enrichment of collectors with asset data only on the collectors that you want to be enriched.

To create an asset enrichment rule for a collector:

  1. Go to the Resources section of the KUMA web interface.

    A table with the created enrichment rules is displayed in the right part of the Resources section.

  2. In the list of tenants in the left part of the window, select the tenant that owns the resource.
  3. Click the Create new button above the table.
  4. In the displayed sidebar, specify the following settings:
    1. In the Name field, enter a unique name for the rule. The name must contain 1 to 128 Unicode characters.
    2. In the Tenant drop-down list, select the tenant that will own this enrichment rule.
    3. In the Source kind drop-down list, select enrichment by assets.
    4. If necessary, use the Debug toggle switch to enable logging of service operations.
    5. If necessary, in the Tags drop-down list, select thetags for the enrichment rule.
    6. If required, add a description for the enrichment rule in the Description field. The rule description can contain up to 4000 Unicode characters.
  5. In the Mapping section, populate the field mapping table as follows:
    1. Click Add.
    2. In the KUMA field drop-down list, select one or more event fields that you want to map to values from the hash table and write to the corresponding asset information field in the table.
    3. In the KUMA event field to write to drop-down list, select the field into which you want to write the event ID, if the event field (KUMA field) matches the value from the hash table.

    Possible parameter values in the field mapping table

    If the user selects multiple fields, the AND operator is applied to field values. If the user adds multiple strings in the KUMA field column, the OR operator is applied to field values. The matching begins from the first field in the list. If the value of the field matches the value of the attribute, matching stops.

    For example, suppose that the following data is received in an event:

    SourceAddress=192.168.х.хх
    SourceHostName=kuma.example.com.

    There are two assets in KUMA: company.example.com (IP address: 192.168.x.xx, FQDN: company.example.com) and kuma.example.com (IP address: 192.168.y.yyy, FQDN: kuma.example.com). Matching is performed as follows:

    • If the user separately specified sourceAddress → sourceAssetID, and then sourceHostname → sourceAssetID, then the asset matches the first condition (company.example.com).
    • If it is more important for the user to get the sourceHostname value (kuma.example.com), then sourceHostname → sourceAssetID must be specified first, followed by sourceAddress → sourceAssetID.
    • If the user specifies sourceAddress + sourceHostname → sourceAssetID, enrichment does not occur.

    At least one matching condition must be specified in the field mapping table.

    You can also click the Apply default mapping button above the table. In this case, the values of KUMA field and KUMA event field to write to are applied.

    Default values of parameters in the field mapping table

  6. Under Filter parameters, you can specify conditions to identify events that will be processed using the enrichment rule. You can select an existing filter from the Filter drop-down list or create a new filter.

    Adding conditions and condition groups for the filter

  7. Click Create.
Page top