Enrichment Sources stores the information that can be used to enrich logs with additional information that is not initially collected during the log collection.
For example, you have logs with email bob@bob.com. Looking at the log, that email may not look different than any other email, but it could be a potential attackers email address. An enrichment source could be an internal or an external database of potential attacker’s email addresses. You can use one of these existing databases to add additional information that is not initially collected during the log collection. These additional, enriched fields can be used just like the other fields, which allows for the creation of dashboards, searches and alerts that use this information.
Before using an enrichment source, you need to install the relevant Integration. For example, to use ODBC Enrichment Source, you install ODBC Enrichment Source Integration.
Logpoint currently supports the following type of enrichment sources:
LDAP: Extracts user information from an LDAP server. For more information, go to LDAPEnrichmentSource Guide.
GeoIP: Extracts the geographical information of a public IP address. For more information, go to GEOIP Guide.
CSV: Extracts data present in a Comma Separated Values (CSV) file. Go to CSVEnrichmentSource Guide for more details.
IPtoHost: Extracts hostname from IP Address. Go to IPtoHost Enrichment Source Guide for more details.
ODBC: Extracts data from ODBC server. Logpoint supports the PostgreSQL, MSSQL, and MySQL databases. Go to ODBC Enrichment Source Guide for more details.
Threat Intelligence: Extracts information from various threat intelligence sources. Go to Threat Intelligence Guide for more details.
Enrichment Sources¶
To sort the columns in ascending or descending order, move your cursor to the column you want to sort. You will see a down arrow; click it and select Sort Ascending or Sort Descending.
Sorting Columns¶
To filter the columns you want in the UI, click the MORE dropdown, click Columns, and select the columns you want.
Filtering Columns in the UI¶
Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.
Select the required enrichment source and update the information.
Click Save.
Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.
Click the Delete (
) icon under Actions.
To delete multiple enrichment sources, select the sources, click MORE and choose Delete Selected.
To delete all the enrichment sources, click MORE and choose Delete All.
Deleting Enrichment Sources¶
Click Yes.
Some Enrichment Sources may still be listed even after you delete them. Click Refresh (
) to update the list.
After adding enrichment source, Logpoint creates a table with the name you assigned. It stores the additional data that can be used to enrich logs. To view the table:
Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.
Click the Search (
) icon under Actions of the source to view search results. It will take you to the Logpoint Search.
You can view total storage space used by all the enrichment sources next to DATA USED on the top-left corner. The total size for the enrichment sources is set to 4 GB.