Setting Up Enrichment Configurations

You can use the enrichment topology to enhance messages with external data and manage threat intelligence data.

The enrichment topology is a topology dedicated to performing the following:

  • Taking the data from the parsing topologies normalized into the Metron data format (for example, a JSON Map structure with original_messageand timestamp.

  • Enriching messages with external data from data stores (for example, hbase) by adding new fields based on existing fields in the messages.

  • Marking messages as threats based on data in external data stores.

  • Marking threat alerts with a numeric triage level based on a set of Stellar rules.

The configuration for the `enrichment` topology, the topology primarily responsible for enrichment and threat intelligence enrichment, is defined by JSON documents stored in ZooKeeper.

There are two types of configurations, global and sensor specific.