Enriching Data

Enriching data in SecureSphere is the process of assigning customized attributes to events taking place in the network. This assists in adding information that matches the context of your company environment, and is then used to configure policies, audit data, and generate reports based on this added information. For example, you can add a user's department, then set controls which determine that users from the R&D department accessing sensitive data should be tracked.

You can enrich events by adding information from two different sources:

• External sources: Such as an LDAP server, external ticketing systems or even manually entered data. For an example of configuring an enrichment policy using an external source, see the example Enrich Audit Data with Department Information from LDAP located in Configuring Data Enrichment from a Lookup Data Set.
• Another event: This involves extracting information from or using an attribute of another event. Options include:
• DB event: Enables you to extract an SQL literal from a database data stream such as an application username. For an example of configuring enrichment for database traffic, see the example Configuring Data Enrichment to Track Access to Sensitive Data from Event SQL in Configuring Data Enrichment from Event SQL.

  Note: DB enrichment is used to enrich queries that always remain the same. For example, queries generated by applications such as SAP, Oracle EBS, PeopleSoft, or built-in applications. Dynamic queries, such as those that use a real username that constantly changes and not an application user (and regularly change the syntax of the query), or where parameters dynamically change order are not suitable for enrichment.

A number of steps are involved in configuring SecureSphere to work with Data Enrichment. The below table lists the main tasks that can be conducted to configure Enrichment.

Configuring Enrichment Policy Task Overview