Setting Up Enrichment Configurations
You can use the enrichment topology to enhance messages with external data and manage threat intelligence data.
The enrichment topology is a topology dedicated to performing the following:
-
Taking the data from the parsing topologies normalized into the Metron data format (for example, a JSON Map structure with
original_messageandtimestamp. -
Enriching messages with external data from data stores (for example,
hbase) by adding new fields based on existing fields in the messages. -
Marking messages as threats based on data in external data stores.
-
Marking threat alerts with a numeric triage level based on a set of Stellar rules.
The configuration for the `enrichment` topology, the topology primarily responsible for enrichment and threat intelligence enrichment, is defined by JSON documents stored in ZooKeeper.
There are two types of configurations, global and sensor specific.