Non-Mapping Enrichment Item Object

Defines the schema for an alert tag.

API Endpoints/resources/v2.1/enrichments-config/tags/{TAG_NAME}/enrichments
Supported MethodsPOST, GET, PATCH, DELETE

Enrichment Item Parameters (Composition & Extraction)

For composition and extraction enrichment items, a unique object is created for each item.

Enrichment item order is based on the order it appears in the UI or API call. New rules will be added to the top of the existing enrichment order for that tag.

The enrichment item object schema includes the following attributes:

AttributeDescriptionType
idSystem-generated unique identifier for the automatic enrichment item.String
typeAutomatic Enrichment rule type.

One of: composition, extraction
String
activeWhether the rule should be applied to incoming alerts.Boolean
whenA BPQL object query to filter incoming alerts. Only matched alerts will receive a value based on the enrichment item.Object
versionInternal version number of the current enrichment item.

This number is incremented automatically each time the item is updated.
Integer
configRules for building or extracting tag values from event data.

Configuration attributes are unique to the enrichment type. See the Config Attributes tables for more information.
Object
created_byThe unique ID associated with the user who created the enrichment item.String
updated_byThe unique ID associated with the user who last updated the enrichment item.String
noteA description of the enrichment item purpose or functionality.String

Config Object Attributes

Composition Config Attributes

AttributeDescriptionType
sourceFilter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item.

If left empty, source will default to all sources.
String
destinationWhich tag the enrichment item will apply to.String
valueTemplate for building a value based on existing tags and string values.String

Extraction Config Attributes

AttributeDescriptionType
sourceFilter incoming alerts by event source. Only alerts from the listed source system will receive a value based on the enrichment item.

If left empty, source will default to all sources.
String
destinationWhich tag the enrichment item will apply toString
regexThe pattern for extracting tag value from alert dataString
templateThe structure of the value - system field. This value should not be modified.String

Mapping Enrichment Items

Mapping enrichments are managed through their map object. See the Mapping Enrichment Schema Object for details on defining mapping enrichments.

Example Objects

{
"type": "extraction",
"active": true,
"when": {
   "IN": [
     "source_system",
      [
       {
     "type": "regex",
     "value": "*"
       }
      ]
    ]
  },
"config": {
"source": "host",
"destination": "tag_name",
"regex": "(.*)",
"template": null
},
"note": null
}
{
"type": "composition",
"active": true,
"when": {
   "IN": [
     "source_system",
     [
     {
     "type": "regex",
     "value": "*"
    }
    ]
  ]
},
"config": {
"destination": "tag_name",
"value": "val-${host6666}"
},
"note": "wiki.com"
}
{
    "id": "d8215c7d-04ad-41fd-8293-5aca3002b111",
    "type": "composition",
    "active": true,
    "when": true,
    "version": 1,
    "config": {
        "destination": "dest",
        "value": "TEST - *"
    },
    "created_by": "58d77efa5eafe459163f4111",
    "updated_by": "58d77efa5eafe459163f4111",
    "note": null
}