Enrichments Overview
Enrichments are an extremely powerful component of the Monad security data pipeline that enhance your raw security data by adding contextual information from internal and external sources. They transform basic security events into actionable intelligence by correlating them with reference data, threat intelligence, geolocation information, and organizational context and more.
How Enrichments Work
Enrichments operate as middleware components in your data pipeline, processing records as they flow through and augmenting them with additional information. The enrichment process follows a consistent pattern:
- Data Extraction: The enrichment extracts specific values from incoming records using configurable join keys
- Lookup/Processing: The extracted values are used to query external services, databases, or reference data
- Data Addition: The enrichment results are added to the original record at a specified destination path
- Error Handling: Failed lookups are handled gracefully based on configuration settings
Common Configuration Patterns
All enrichments share similar configuration concepts:
Join Key Configuration
- Join Key: Specifies where to extract data from incoming records (e.g.,
"source.ip","user.email") - Destination Path: Defines where enriched data will be added to the record (e.g.,
"enrichment.geo","context.user_details")
Error Handling
- Graceful Degradation: Records continue processing even when enrichment fails
- Configurable Behavior: Choose whether missing data should generate errors or warnings
- Structured Error Responses: Failed enrichments return consistent error structures with codes and messages
Performance Optimization
- Caching: Enrichments implement intelligent caching to improve performance. Depending on the enrichment type, this may be configurable.
Types of Enrichments
Internal Data Enrichments
These enrichments correlate events with your organization's internal data:
This is typically data that only your organization might have access to, such as user information, asset details etc.
External Intelligence Enrichments
These enrichments add context from external threat intelligence and geolocation services:
- Geolocation: Enhances IP addresses with geographic information including country, region, city, coordinates, ISP, and ASN data
- Threat Intelligence: Correlates indicators with known threat data
- Reputation Services: Adds reputation scores for domains, IPs, and file hashes
Data Format and Structure
Enrichment Response Structure
Enrichments add data to records using a consistent structure across all implementations. The additional data is added to the original record at the configured destination key and the enrichment result object is set as the value
{
"original_field": "original_value",
"enrichment_destination": {
"join_key": "join_key_used",
"message": "descriptive_message",
"code": "status_code",
"data": {
// Actual enrichment data
}
}
}
Status Codes
Common status codes across enrichments:
"success": Enrichment completed successfully"no_match": No data found for the lookup key"error": "something went wrong in the lookup"
Best Practices
Configuration
- Use descriptive destination paths that clearly indicate the enrichment source
- Configure appropriate error handling for your use case
Integration with Pipeline Components
Enrichments work seamlessly with other Monad components:
- Inputs: Receive raw security data that needs contextual enhancement, or use the input data to create an enrichment
- Transforms: Can prepare data for enrichment or process enriched results
- Outputs: Send enriched data to security tools and analytics platforms
- Routing: Can route data based on enrichment results