Event enrichment using custom log source


I’m not sure exactly how to explain this correctly, but I’m looking for guidance on whether it’s possible to use data from custom event sources, to enrich the default IDR tracking and monitoring of users and endpoints.

In a nutshell, we use a product called Absolute, which tracks endpoint activity and user behavior on our mobile pc fleet (notebooks), and it’s great at generating alerts like when a device has changed countries etc.

We are ingesting this log data into IDR, however I was hoping there is a way to specify some of the fields and how they map to others already in use in IDR. For example, the Absolute logs include the hostname and user account within the logs, and surely there must be a way to indicate these as the same type of field in IDR, and thereby enrich the automatic monitoring and alerting?

I can obviously build custom detection rules/alerts in IDR, but I’m more interested in whether is a way to enrich the IDR XDR functionality with custom alerts by specifying what kind of data the fields in a custom log are reporting (like a username, or a “common key”).

Any guidance or ideas would be appreciated.

Hey @nick_graves,

What you are thinking about is currently not possible within the product when using a custom log event source. The only way to have data integrated to our User Behavior Analytics engine is through a supported event source.

Building an integration for this product specifically would be a request for enhancement.

We do have future plans to build what you are suggesting, however it is not prioritized on our near or medium term roadmap.

Thanks David, appreciate the feedback.

Hi David,

In terms of submitting a “request for enhancement” on IDR, how do I go about this? Is it a case of submitting the request as a support call on the customer portal, or should I get the 3rd party to log a request in some way? Like Contributing an extension | Insight Platform Documentation

There are a few docs indicating the Feature Request function should be in the menu, but I can’t seem to find this anywhere in IDR.


A support ticket through the support portal within the product is recommended. This way your request is tied to the underlying RFE and any updates to that ticket will be visible to you.