Alert Enrichment: Mapping

Keep’s Alert Mapping enrichment feature provides a powerful mechanism for dynamically enhancing alert data by leveraging external data sources, such as CSV files. This feature allows for the matching of incoming alerts to specific records in a CSV file based on predefined attributes (matchers) and enriching those alerts with additional information from the matched records.

Introduction

In complex monitoring environments, the need to enrich alert data with additional context is critical for effective alert analysis and response. Keep’s Alert Mapping and Enrichment enables users to define rules that match alerts to rows in a CSV file, appending or modifying alert attributes with the values from matching rows. This process adds significant value to each alert, providing deeper insights and enabling more precise and informed decision-making.

How It Works

  1. Rule Definition: Users define mapping rules that specify which alert attributes (matchers) should be used for matching alerts to rows in a CSV file.
  2. CSV File Specification: A CSV file is associated with each mapping rule. This file contains additional data that should be added to alerts matching the rule.
  3. Alert Matching: When an alert is received, the system checks if it matches the conditions of any mapping rule based on the specified matchers.
  4. Data Enrichment: If a match is found, the alert is enriched with additional data from the corresponding row in the CSV file.

Practical Example

Imagine you have a CSV file with columns representing different aspects of your infrastructure, such as region, responsible_team, and severity_override. By creating a mapping rule that matches alerts based on service and region, you can automatically enrich alerts with the responsible team and adjust severity based on the matched row in the CSV file.

Core Concepts

  • Matchers: Attributes within the alert used to identify matching rows within the CSV file. Common matchers include identifiers like service or region.
  • CSV File: A structured file containing rows of data. Each column represents a potential attribute that can be added to an alert.
  • Enrichment: The process of adding new attributes or modifying existing ones in an alert based on the data from a matching CSV row.

Creating a Mapping Rule

To create an alert mapping and enrichment rule:

  1. Define the Matchers: Specify which alert attributes will be used to match rows in the CSV file.
  2. Upload the CSV File: Provide the CSV file containing the data for enrichment.
  3. Configure the Rule: Set additional parameters, such as whether the rule should override existing alert attributes.

Best Practices

  • Keep CSV Files Updated: Regularly update the CSV files to reflect the current state of your infrastructure and operational data.
  • Use Specific Matchers: Define matchers that are unique and relevant to ensure accurate matching.
  • Monitor Rule Performance: Review the application of mapping rules to ensure they are working as expected and adjust them as necessary.
ExtractionExamples