circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Enrichment

hashtag
Enrichment

Enrichment enhances raw logs by automatically adding meaningful context that makes events easier to understand, correlate, and investigate. Rather than relying solely on basic log data such as timestamps and error messages, enrichment supplements logs with diverse contextual information including asset details (hostname, IP address, operating system), user information (identity, roles, permissions), geolocation data (country, city, network location), threat intelligence (known malicious indicators, threat actor attribution), and risk context (severity scores, compliance implications, business impact). By layering this metadata onto raw logs, security teams gain the visibility required to assess the true significance of each event.

Supported Enrichment Types

  • Static: Applied at data ingestion, either during collection or storage. Static enrichment is indexed, which makes queries over large datasets run faster.

  • Dynamic: Applied during analysis, or when a query runs. Useful for lookups that are only possible long after logs are received (for example from threat intelligence). Dynamic enrichment uses less storage and collection load and is good for small datasets and short time ranges. Dynamic enrichment metadata is not stored.

hashtag
Enrichment Sources

Logpoint provides a set of enrichment sources that add contextual information to logs during ingestion and processing. These enrichment sources provide additional data, such as asset details, user and identity information, geolocation data, network context, and threat intelligence that is automatically associated with events via matching fields such as IP addresses, hostnames, or usernames.

Logpoint Enrichment Sources

chevron-rightViewing Enrichment Datahashtag

After adding an enrichment source, Logpoint creates a table with the assigned name. It stores the additional data used to enrich logs. To view the table:

  1. Go to Settings >> Configuration in the navigation bar and click Enrichment Sources.

  2. Click the Search icon under Actions of the source to view search results.

circle-info

You can view the total storage space used by all the enrichment sources next to DATA USED in the top-left corner. The total size for the enrichment sources is set to 4 GB.

chevron-rightEditing an Enrichment Sourcehashtag

  1. Go to Settings >> Configuration in the navigation bar and click Enrichment Sources.

  2. Select the required enrichment source and update the information.

  3. Click Save.

chevron-rightDeleting Enrichment Sourcehashtag

  1. Go to Settings >> Configuration from the navigation bar and click Enrichment Sources.

  2. Click the Delete icon under Actions.

  3. To delete multiple enrichment sources, select the sources, click MORE and choose Delete Selected.

  4. To delete all enrichment sources, click MORE, then choose Delete All.

  5. Click Yes.

Some Enrichment Sources may still be listed even after you delete them. Click the Refresh icon to update the list.

hashtag
Enrichment Policies

An Enrichment Policy is made up of a set of enrichment specifications, a set of 5 or less enrichment rules. Enrichment rules define which normalized, event log key-value pairs in the message fields are matched against an enrichment source. When there is a match, the additional information from the Enrichment Source is added to the event.

When an Enrichment Policy is configured on a device, each log from the device is matched against all the enrichment rules in ascending order. You can create multiple enrichment policies, but only one can be applied to a single device.

chevron-rightAdding an Enrichment Policyhashtag

  1. Go to Settings >> Configuration in the navigation bar and click Enrichment Policies.

  2. Click ADD.

  3. Enter a Policy Name and Description.

  4. In Specification, enter Enrichment Criteria. Use:

    • Key Presents to enter the name of the key. The policy will use the key to check if this specified key is in the log.

    • Value Matches to enter the name of the key and the value, or a Regular Expression. The policy checks whether the specified key is present in the log and if its value matches the specified value.

    • Use the plus icon and the minus icon to add or remove a criterion.

  5. In the Enrichment Rule, select an Enrichment Source from the dropdown. Use the plus (+) and minus (-) icons to add or remove a criterion.

    1. Select a Source from the dropdown. It displays the enrichment source fields that can be matched to the log fields.

    2. Select a type of Operation. It specifies how two fields are compared and is set to Equals by default.

    3. Select a Category from the dropdown. It specifies whether the field’s value or type is being compared.

      1. If you select Simple, enter the Event Key suitable for the source.

      2. If you select Type Based, choose an Event Key Type from the dropdown. In this case, all fields of the selected type are eligible for consideration.

        In Logpoint, the value associated with a key is either string or number. The IP type is treated as a distinct case of the string type and is compared using a simple string comparison.

      3. Select Enable prefixing to prefix the results with the event key. In this case, Logpoint presents the results in alphabetical order of the event key.

  6. Click Submit.

In a Distributed Logpoints setup, you cannot view or use the enrichment policies of remote Logpoints from the Search Head.

circle-exclamation

You cannot use an enriched field as a criterion for the type-based enrichment category. For example, if source_address is an enriched field, then you cannot use that field as an enrichment criteria value.

chevron-rightEditing an Enrichment Policyhashtag

  1. Go to Settings >> Configuration in the navigation bar and click Enrichment Policies. To view the details of each enrichment policy, click the Details icon under Actions.

  2. Select the required enrichment policy and update the information.

  3. Click Submit.

chevron-rightDeleting an Enrichment Policyhashtag

Before deleting an enrichment policy, make sure it is not in use.

  1. Go to Settings >> Configuration in the navigation bar and click Enrichment Policies.

  2. Click the Delete icon under Actions.

  3. To delete multiple enrichment policies, select the groups, click MORE, and choose Delete Selected.

  4. To delete all enrichment policies, click MORE, then choose Delete All.

  5. Click Yes.

Last updated

Was this helpful?