Skip to main content
Version: Next

Enhancing Data Insights (Enrichment)

While raw network flow and SNMP data provide a foundational understanding of your network traffic and device behavior, adding context to this data significantly increases its analytical value. Enrichment is the process of correlating your core network telemetry with information from external or internal data sources. This added context transforms basic data points into rich insights, enabling more effective security analysis, performance monitoring, and troubleshooting.

This section of the NetFlow Optimizer Administration Guide details the various methods and configurations available within NFO to enrich your network data.

Why Data Enrichment Matters

Enriched data provides a more complete picture of network events by answering crucial questions like:

  • Who is generating the traffic (user identification)?
  • What application is being used?
  • Where is the traffic originating from and destined to (geographical location)?
  • What kind of device is involved?
  • Is this communication associated with known threats?

By adding these layers of context, you can:

  • Improve Threat Detection: Identify malicious activity more accurately by correlating network behavior with user context, geographical origins of suspicious traffic, and known threat indicators.
  • Enhance Performance Monitoring: Understand application-specific network performance and correlate network issues with specific users or virtual machines.
  • Streamline Troubleshooting: Quickly pinpoint the source of network problems by having more contextual information readily available.
  • Gain Deeper Visibility: Obtain a holistic understanding of network communication patterns and resource utilization.

Available Enrichment Methods in NetFlow Optimizer

NetFlow Optimizer offers several powerful mechanisms for enriching your network data:

  • User Identity Enrichment: Linking network traffic to specific users through integrations with directory services (e.g., Active Directory, LDAP, Microsoft Entra ID, Okta). To learn more, visit Configuring User Identity Enrichment.
  • Applications Enrichment: Identifying the specific applications generating network traffic, enabling application-aware monitoring and analysis.
  • VM Names Enrichment: Correlating network traffic with the names of virtual machines, providing visibility into virtualized environments. To learn more, visit Configuring VMware vCenter Enrichment.
  • Hostname / DNS Name Enrichment: Resolving IP addresses to hostnames or DNS names for easier identification of communicating devices.
  • Public IP Addresses in Clouds Enrichment: Identifying and tagging traffic associated with public IP addresses belonging to cloud providers (AWS, Azure, GCP, etc.).
  • Region Enrichment: Adding the geographical region information associated with IP addresses, particularly relevant in cloud environments.
  • Cloud Service Enrichment: Identifying the specific cloud service (e.g., EC2, Azure Compute, Google Compute Engine) associated with network traffic.
  • VPC Names Enrichment: Correlating traffic with the names of Virtual Private Clouds (VPCs) in cloud environments.
  • Direction Enrichment: Identifying the direction of network flow (e.g., inbound, outbound, internal).
  • Threat Intelligence / Reputation Enrichment: Flagging network communication involving known malicious actors, infrastructure, or suspicious entities based on threat feeds and reputation lists.
  • Geo Location (Country, City) Enrichment: Adding detailed geographical context, including country and city, to IP addresses. To learn more, visit Configuring Geo IP Integration with MaxMind.
  • Device Name Enrichment (via SNMP): Enhancing flow data by adding the names of network devices (routers, switches, firewalls, etc.) obtained through SNMP polling.
  • Interface Name Enrichment (via SNMP): Adding descriptive names to network interfaces (e.g., GigabitEthernet1/1, VLAN10) by querying devices using SNMP.

By transforming raw network data into a rich and insightful stream, NetFlow Optimizer empowers your existing security and monitoring platforms to deliver enhanced threat detection, performance analysis, and operational awareness