Setting Up Enrichment Configurations

The enrichment topology is a topology dedicated to performing the following:

  • Taking the data from the parsing topologies normalized into the Metron data format (for example, a JSON Map structure with original_messageand timestamp).

  • Enriching messages with external data from data stores (for example, hbase) by adding new fields based on existing fields in the messages.

  • Marking messages as threats based on data in external data stores.

  • Marking threat alerts with a numeric triage level based on a set of Stellar rules.

The configuration for the enrichment topology, the topology primarily responsible for enrichment and threat intelligence enrichment, is defined by JSON documents stored in ZooKeeper.

There are two types of configurations, global and sensor specific.