Also available as:
loading table of contents...

Setting Up Enrichment Configurations

The `enrichment` topology is a topology dedicated to taking the data from the parsing topologies that have been normalized into the Metron data format (for example, a JSON Map structure with `original_message` and `timestamp`) and

  • Enriching messages with external data from data stores (for example, hbase) by adding new fields based on existing fields in the messages.

  • Marking messages as threats based on data in external data stores.

  • Marking threat alerts with a numeric triage level based on a set of Stellar rules.

The configuration for the `enrichment` topology, the topology primarily responsible for enrichment and threat intelligence enrichment, is defined by JSON documents stored in zookeeper.

There are two types of configurations, global and sensor specific.