Enrichment Framework

Enrichments add context to the streaming message.

The enrichment framework takes the data from the parsing topologies that have been normalized into the CCP data format (JSON files) and performs the following enhancements:

Enriches messages with external data from data stores by adding new information based on existing fields in the messages
Marks messages as threats based on data in external data stores
Marks threat alerts with a numeric triage level based on a set of Stellar rules

The configuration for the enrichment topology is defined by JSON documents stored in ZooKeeper. CCP features two types of configurations:

Sensor
Global

The following figure illustrates the enrichment flow for both individual sensor enrichment and threat intelligence enrichment.