Skip to main content
Version: Next

Data Enrichment: Transforming Flows into Context

Data Enrichment is the process of transforming "naked" network telemetry into actionable business intelligence. While raw flow records (NetFlow, IPFIX) provide essential data like IP addresses and ports, they lack the identity, location, and reputation context required for rapid security response and advanced AI/ML analysis.

NFO bridges this gap by correlating raw flows in real-time with external data sources, appending human-readable metadata to every record before it reaches your SIEM or analytics platform.

The Enrichment Engine

Contextual data is managed and updated by the External Data Feeder for NFO (EDFN). While the EDFN Admin page covers essential security, proxy, and certificate management for external communications, this section focuses on the specific intelligence feeds applied to your traffic:

  1. Ingestion: Raw flow packets arrive at the NFO engine.
  2. Real-Time Correlation: NFO performs sub-millisecond lookups against in-memory tables provided by EDFN.
  3. Contextual Tagging: New metadata fields (e.g., src_user, dst_country, threat_type) are appended to the flow.
  4. Optimized Output: The enriched data is sent to your SIEM, providing the "who, what, where, and why" behind every connection.

Types of Enrichment

NFO offers a wide range of contextual intelligence to ensure your data is ready for sophisticated analysis.

1. User Identity Mapping

Bridges the gap between a numerical IP address and a human being. By integrating with Active Directory (AD), Okta, or Microsoft Entra ID, NFO attributes network activity to specific users.

  • Value: Essential for forensic investigations—move from "Who owns this IP?" to "What did this specific user access?" in seconds.

2. Cyber Threat Intelligence

Identifies communication with known malicious actors in real-time. NFO cross-references your traffic against curated reputation lists to detect botnets, malware distributors, and TOR exit nodes.

  • Automation: EDFN automatically pulls the latest threat feeds to ensure your defenses evolve as quickly as the threat landscape.

3. Virtual & Cloud Infrastructure Context

In dynamic environments where IP addresses change frequently, NFO integrates with VMware vCenter and cloud providers to map dynamic IPs to persistent virtual machine names and tags.

  • Advantage: Maintains visibility as VMs migrate across hosts (vMotion), ensuring your security logs remain accurate regardless of infrastructure shifts.

4. GeoIP and Location Data

Maps IP addresses to geographic locations, allowing you to visualize traffic patterns on a global scale and detect anomalous connections from unexpected regions.

  • Insights: Appends Country, City, Latitude/Longitude, and Autonomous System Numbers (ASN) using providers like MaxMind or IP2Location.

5. Reverse DNS (FQDN)

Provides human-readable context for internal and external devices by resolving IP addresses into hostnames using your existing DNS infrastructure.

  • Built-in Service: Unlike other enrichments, this service is a native NFO process that utilizes your local DNS infrastructure directly, rather than relying on EDFN.

  • Value: Replaces abstract IP addresses with recognizable internal names (e.g., hr-portal-prod.local), simplifying troubleshooting for IT Operations.

  • Insights: Resolves local IP addresses to your internal naming conventions and public IPs to their registered pointers.