Data enrichment is the key ingredient required for effective threat detection, investigation, and response. Using enriched data makes dealing with security threats easier and more efficient.
You can use the data and log enrichment feature to add data from your existing data, scheme or external sources to parsed events.
For example, you can use the log and data enrichment to:
• Identify web services or vendors based on known IP addresses
• Network maps and geolocation (such as internal network classification for cross border analytics)
• Process parsed evet (schema) to modify and/or add additional fields
• Identity context (such as identity and access management (IAM) systems, directories, enterprise resource planning (ERP) systems, and Active Directory (AD))
• User context
• Asset context
The ability to overlay multiple data sets is essential to create the additional context in real time needed for correlation&detection algorithms to provide better insights.
Data enrichment involves combining, correcting or adding to data, and it requires special expertise to understand what data needs to be enriched and how. SureLog automates this process.
Enriching Events with Post-Processing Directives
Let’s imagine we have event source, Physical Access System (PAS), and events from this source have usernames like [email protected] and a firewall log source has a username format like jamessmith and an AD with username format anet-canada\jamessmith. If we need to correlate events from those log sources over the username, we have to transform them into the same format as jamessmith in order to use it in the correlation. SureLog post-processing directives are used for this transformation to an additional field like Extrafield1.