Enrichment Framework
Enrichments add additional context to the streaming message. The enrichment framework takes the data from the parsing topologies that have been normalized into the HCP data format (JSON files) and performs the following enhancements:
Enriches messages with external data from data stores by adding new information based on existing fields in the messages
Marks messages as threats based on data in external data stores
Marks threat alerts with a numeric triage level based on a set of Stellar rules
The configuration for the enrichment topology is defined by JSON documents stored in ZooKeeper. HCP features two types of configurations:
The following figure illustrates the enrichment flow for both individual sensor enrichment and threat intelligence enrichment.
