Individual Sensor Enrichments
HCP includes the following individual sensor enrichments:
- Geo
Provides GeoIP information, which includes coordinates, city, state, and country information, to any external IP address.
- Asset
Provides the host name for an IP address. If the IP address is known, then the enrichment provides everything else that is known of the asset from the LDAP, AD, or enterprise inventory stores.
- User
Provides the user that owns the session/alert associated with the IP-application pair.
The JSON documents for the individual enrichment configurations are structured as follows:
Table 5.1. Individual Enrichment Configuration Fields
| Field | Description | Example |
|---|---|---|
fieldToTypeMap | In the case of a simple HBase enrichment (in other words, a key/value lookup), the mapping between fields and the enrichment types associated with those fields must be known. This enrichment type is used as part of the HBase key. |
"fieldToTypeMap" : {
"ip_src_addr" : [
"asset_enrichment" ] }
|
fieldMap | The map of enrichment bolts names to configuration handlers which know how to split the message up. The simplest of which is just a list of fields. More complex examples would be the STELLAR enrichment which provides STELLAR statements. Each field is sent to the enrichment referenced in the key. |
"fieldMap":
{"hbaseEnrichment":
["ip_src_addr","ip_dst_addr"]}
|
config | The general configuration for the enrichment. |
"config":
{"typeToColumnFamily": {
"asset_enrichment" : "cf" } }
|
The config map is intended to house enrichment-specific
configurations. For example, hbaseEnrichment specifies the mappings
between the enrichment types to the column families.
The fieldMap contents contain the routing and configuration
information for the enrichments. Routing defines how the messages is split up and sent to
the enrichment adapter bolts. The simplest fieldMapcontents provides a
simple list as in:
"fieldMap": {
"geo": [
"ip_src_addr",
"ip_dst_addr"
],
"host": [
"ip_src_addr",
"ip_dst_addr"
],
"hbaseEnrichment": [
"ip_src_addr",
"ip_dst_addr"
]
}Based on this sample config, both ip_src_addr and
ip_dst_addr will go to the geo, host, and
hbaseEnrichment adapter bolts.