Enrichment
Convert raw data streams into actionable intelligence
Last updated
Was this helpful?
Convert raw data streams into actionable intelligence
Last updated
Was this helpful?
Relying exclusively on a singular piece of data without the associated context can easily lead to misunderstandings that result in failing to respond at all, not responding quickly or thoroughly enough, or taking inappropriate or unnecessary action.
You are using Onum as part of your network detection system and you wish to enrich your data in real-time using Configuration Management Database data to add more context.
Your Pipeline is ingesting real-time traffic from various VLANs in NetFlow, providing connection data such as source and destination addresses and ports.
We add a Group By action to aggregate the data by Source and Destination IPs and ports every 5 minutes.
In order to glean a global vision of all the connections, we can enrich this incoming traffic with data from a Configuration Management Database (CMDB) using the Lookup action.
We can enrich our Pipeline with information regarding the operating systems, computer types and instance types used to access the network.
We now have an enriched structure of the systems, serials, hardware and ips across our network.
We use the Message Builder to construct the message with all our combined network data and then send it on to the destination sink to complete the flow.
You are using Onum as part of your fraud detection system, analyzing vast amounts of transactional data in real-time to detect and prevent fraudulent activities. You wish to enrich your data in real-time to enhance fraud detection by adding contextual data, historical patterns, and external threat intelligence.
Your Pipeline is ingesting real-time threat detection data via an Apache Kafka Listener.
Add a Parser action to the Pipeline to separate out user information, such as transaction IDs, IPs, and locations.
Now that we have parsed the user information from Kafka, we can enrich our Pipeline with blacklisted IPs to detect external threats. In addition, we can glean the exact geolocations of IPs using the HTTP Request action, and then compare it against the geolocations of a Redis database.
The Lookup action will pull enrichments uploaded to Onum containing IP addresses potentially exposed to threats.
This creates a new field, enriching the data with exposure database.
We have broadened the scope of IPs beyond Kafka, yet we can go on to glean the exact geolocation of the IPs.
Take the field containing the Public IPs from the Parser and use the HTTP Request action to send them to the MaxMind GeoIP database. With the geolocation data, we can check for anomalous IP addresses.
Now we have the log geolocations, we take the username field from the parser and use the Redis action to send a GET request to check if that user already exists in the database. This detects whether it is the first time this user has logged in from the IP.
We use the Redis action to inject our Pipeline with fraud history, user profiles and risk scores.
Enrich incoming transaction or login events with historical fraud scores, geolocation, device fingerprinting, and user behavioral patterns.
Identify suspicious activity in real time (e.g., multiple failed login attempts from a new location).
Send an email via the mail sink to alert of the suspicious behavior.
