Mapping Security Incidents to Observable Enrichment Results
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2023 03:06 PM
I am trying to add some Security Incident Enrichment data to a Security Incident related list (coming from a third party integration REST call). In doing so, I found a set of Enrichment tables extending "Enrichment Data Base." In particular, I have a script to update Observable Enrichment Result via EnrichmentDataUtil::createEnrichmentRecordsForRecord(). I have set up an enrichment mapping record referencing OER as the Destination Table and referenced that id as well as the response content and Security Incident Record ID and table when invoking the aforementioned function and all seems to be set up ok. I see my data in the OER table as well as some like raw data in Enrichment Data table.
I am trying to use some existing Enrichment tables that are used in Security Incident Related list as a guide. In particular, the Firewall Logs. The relationship for Firewall Logs references Security Incident Related Enrichment Data (sn_si_m2m_incident_enrichment). This table seems to map the Security Incident back to the Enrichment Data table (sn_sec_cmn_enrichment). What has me confused is how the data in Observable Enrichment Result that I have updated in my script ultimately gets mapped to the security incident when the mapping in the relationship uses this other Enrichment Data table.
Can someone shed some light on how this works? The specific data in my Observable Enrichment Result table is what I really want linked back to the Security Incident.
