SecurityIQ - add a field to the Data Enrichment Collector (DEC) v5.1 (comment added for 6.0+)

The SecurityIQ provide us the option to enrich activities with additional information on the user who performed the activity in the time the active was done.

In this wiki we learn how to add another field to the enrichment source.

We will take the Active Directory (AD) for example but it true for every enrichment source.

 

Connect to the SecurityIQ DB and, insert the relevant values according to the instructions and run the query in the DB:

SET IDENTITY_INSERT whiteops.wpc_field_dictionary ON;

 

INSERT INTO whiteops.wpc_field_dictionary ([id],[property_name],[field_name]

      ,[display_name],[xaxis_reg_expression],[xaxis_format],[property_type_id]

      ,[data_dictionary_id],[description],[table_columns]

      ,[alerts_forensics_order],[add_blank_line],[display],[display_if_empty],

[wh_question_id],[field_group_id],[is_profilable],[privacy_masked],[is_main_field])

VALUES (value,value,value,value,value,value,value,value,value,value,value,...)

 

SET IDENTITY_INSERT whiteops.wpc_field_dictionary OFF;

 

 

1. Whiteops.wpc_field_dictionary add a row for every attribute that you like to add to the Enrichment.
2. Property_name – the field name that will be fetched from the enrichment source.
3. Field_name – insert an increasing field number e.g. if last field number is Field5, Field6 need to be added.
4. Display_name – field name that will be appeared in the Advanced Filters  and in the activity enrichment tab in the Administrative Client.
5. Xaxis_reg_expression – Null
6. xaxis_format - Null
7. property_type_id – 1 (String)
8. data_dictionary_id – 14 (from SQL)
9. description – internal description, will not be displayed
10. table_columns – N\A
11. alerts_forensics_order – display order in the Client UI
12. add_blank_line – add blank line after the line?
13. display – 1 (display it or not?)
14. display_if_empty – if there is no value for this property, leave it empty to not display it at all.
15. wh_question_id – under what wh question you want this attribute to be appeared in the Advanced filters (check if whitops.wh_question table)
16. field_group_id – NULL (if you want to add the property to one of the groups in wpc_field_group table)
17. is_profilable – true - either to index or not? (not relevant from v4.2 and above)
18. privacy_masked – 0 – either to sensor in privacy mode or not.
19. is_main_field – 0 – either to display it in the main area or only in the DEC tab

 

Reset the following services

! important reset them one by one and to keep on this order !

1. 1.     Reset agent configuration manager
2. 2.     Reset event manager
3. 3.     Reset user interface
4. Reset the client

 

 

Before adding the Description field:

After adding the Description field:

 

 

  

Examples for adding field from the AD:

 

SET IDENTITY_INSERT whiteops.wpc_field_dictionary ON;

 

INSERT INTO whiteops.wpc_field_dictionary ([id],[property_name],[field_name]

      ,[display_name],[xaxis_reg_expression],[xaxis_format],[property_type_id]

      ,[data_dictionary_id],[description],[table_columns]

      ,[alerts_forensics_order],[add_blank_line],[display],[display_if_empty],

[wh_question_id],[field_group_id],[is_profilable],[privacy_masked],[is_main_field])

VALUES (1020, 'description',       'Field16',    'Description',       NULL,  NULL, 1,     1,       'description',       NULL,  16, 0,     1,     1,     2,     NULL,  1, 0,     0)

 

SET IDENTITY_INSERT whiteops.wpc_field_dictionary OFF;

 

 

 

SET IDENTITY_INSERT whiteops.wpc_field_dictionary ON;

 

INSERT INTO whiteops.wpc_field_dictionary ([id],[property_name],[field_name] ,[display_name],[xaxis_reg_expression],[xaxis_format],[property_type_id] ,[data_dictionary_id],[description],[table_columns] ,[alerts_forensics_order],[add_blank_line],[display],[display_if_empty], [wh_question_id],[field_group_id],[is_profilable],[privacy_masked],[is_main_field])

VALUES (1021,'manager','Field17', 'Manager', NULL, NULL,  1, 1, 'manager', NULL, 17, 0, 1, 1, 2, NULL, 1, 0, 0)

 

SET IDENTITY_INSERT whiteops.wpc_field_dictionary OFF;

 

 

 

Examples for adding field from the SQL table:

1) Check the connection string and the query to the external table\DB.

Create a data source and and verify that you can get to the required table:

Click test and verify that you can get to the required results.

 

2) Go to System-> Application Monitors - > configuration -> Activity Monitoring -> Data Enrichment Connector (DEC) -> Create new DEC

In the DEC configuration, insert the connection string and in the query:

Select [required_fields] From [table] WHERE [name_field]='{username}'

in this example, we chose to select all the fields from the 'employee' table

and the name of the user how did the activity will be equals to the attribute in the 'name' column in the 'employee' table.

employee table:

3) add the fields to the SecurityIQ dictionary:

SET IDENTITY_INSERT whiteops.wpc_field_dictionary ON;

 

INSERT INTO whiteops.wpc_field_dictionary ([id],[property_name],[field_name] ,[display_name],[xaxis_reg_expression],[xaxis_format],[property_type_id] ,[data_dictionary_id],[description],[table_columns] ,[alerts_forensics_order],[add_blank_line],[display],[display_if_empty], [wh_question_id],[field_group_id],[is_profilable],[privacy_masked],[is_main_field])

VALUES (8000,'emp_badge','Field1, 'Badge Number', NULL, NULL,  1, 14, 'This is the badge #', NULL, 1, 0, 1, 1, 2, NULL, 1, 0, 0)

 

SET IDENTITY_INSERT whiteops.wpc_field_dictionary OFF;

 

Result: