...
| Enrichment | Description | Enrichment Store | Enrichment Source | Metron Message Field Name(s) | Loader Type | Refresh Rate | Metron Enrichment Architecture |
|---|---|---|---|---|---|---|---|
| GeoIP | Tags on GeoIP (lat-lon coordinates + City/State/Country) to any external IP address. This can be applied both to alerts as well as metadata telemetries to be able to map them to a geo location. | MySQL | Maxmind Geolite | src_ip, dst_ip | Bulk from HDFS | Once every 3 months | Geo Enrichment |
| Asset | Given an IP, figure out the host name of the asset. Then given the hostname of the asset tell me everything else about that asset that is known from LDAP, AD, or enterprise inventory stores | HBase | LDAP, AD, DNS logs, enterprise inventory stores | src_ip, dst_ip | Not yet provided. Roadmap item | Once every hour | Asset Enrichment |
| User | Given a session or an alert for a certain ip-application pair, tell me which user this session/alert belongs to | Hbase | LDAP, AD, proxy logs | src_ip + application | Not yet provided. Roadmap item | Once every 5 minutes | User Enrichment |
| More to come.... |