Setting Up Enrichment Configurations
You can use the enrichment topology to enhance messages with external data and manage threat intelligence data.
The enrichment topology is a topology dedicated to performing the following:
Taking the data from the parsing topologies normalized into the Metron data format (for example, a JSON Map structure with
Enriching messages with external data from data stores (for example,
hbase) by adding new fields based on existing fields in the messages.
Marking messages as threats based on data in external data stores.
Marking threat alerts with a numeric triage level based on a set of Stellar rules.
The configuration for the `enrichment` topology, the topology primarily responsible for enrichment and threat intelligence enrichment, is defined by JSON documents stored in ZooKeeper.
There are two types of configurations, global and sensor specific.