Skip to main content
Version: 2.12.0

Data Enrichment: Transforming Flows into Context

Data Enrichment is the process of transforming "naked" network telemetry into actionable business intelligence. While raw flow records (NetFlow, IPFIX) provide essential data like IP addresses and ports, they lack the identity, location, and reputation context required for rapid security response and advanced AI/ML analysis.

NFO bridges this gap by correlating raw flows in real-time with external data sources, appending human-readable metadata to every record before it reaches your SIEM or analytics platform.

The Enrichment Engine

Contextual data is managed and updated by the External Data Feeder for NFO (EDFN). While the EDFN Admin page covers security, proxy, and certificate management for external communications, this section focuses on the specific intelligence feeds applied to your traffic:

  1. Ingestion: Raw flow packets arrive at the NFO engine.
  2. Real-Time Correlation: NFO performs sub-millisecond lookups against in-memory tables provided by EDFN.
  3. Contextual Tagging: New metadata fields (e.g., username, dest_country, reputation) are appended to the flow.
  4. Optimized Output: The enriched data is sent to your SIEM, providing the "who, what, where, and why" behind every connection.

Enrichment Types

📄️ User Identity

Map IP addresses to real users via Active Directory, Microsoft Entra ID, Okta, or syslog-based identity sources. Move from "who owns this IP?" to "what did this user access?" in seconds.

📄️ Cyber Threat Intelligence

Cross-reference traffic against curated reputation lists in real time to detect botnets, malware distributors, and TOR exit nodes. EDFN automatically updates threat feeds as the landscape evolves.

📄️ VMware vCenter

Map dynamic IPs to persistent VM names and tags in VMware environments. Maintains visibility as VMs migrate across hosts via vMotion.

📄️ GeoIP & ASN

Append Country, City, Latitude/Longitude, and Autonomous System Numbers to every flow using MaxMind or IP2Location. Visualize global traffic patterns and detect anomalous regional connections.

📄️ Cisco ACI BD Subnets

Enrich flows with Cisco ACI Bridge Domain and subnet context for visibility into ACI fabric traffic.

📄️ Reverse DNS Lookup

Resolve IP addresses to hostnames using your existing DNS infrastructure. Replaces abstract IPs with recognizable internal names (e.g., hr-portal-prod.local) for faster troubleshooting.