Skip to main content
Version: Next

Enhancing Data Insights (Enrichment)

While raw network flow and SNMP data provide a foundational understanding of your network traffic and device behavior, adding context to this data significantly increases its analytical value. Enrichment is the process of correlating your core network telemetry with information from external or internal data sources. This added context transforms basic data points into rich insights, enabling more effective security analysis, performance monitoring, and troubleshooting.

This section of the NetFlow Optimizer Administration Guide details the various methods and configurations available within NFO to enrich your network data.

Why Data Enrichment Matters

Enriched data provides a more complete picture of network events by answering crucial questions like:

  • Who is generating the traffic (user identification)?
  • What application is being used?
  • Where is the traffic originating from and destined to (geographical location)?
  • What kind of device is involved?
  • Is this communication associated with known threats?

By adding these layers of context, you can:

  • Improve Threat Detection: Identify malicious activity more accurately by correlating network behavior with user context, geographical origins of suspicious traffic, and known threat indicators.
  • Enhance Performance Monitoring: Understand application-specific network performance and correlate network issues with specific users or virtual machines.
  • Streamline Troubleshooting: Quickly pinpoint the source of network problems by having more contextual information readily available.
  • Gain Deeper Visibility: Obtain a holistic understanding of network communication patterns and resource utilization.

Available Enrichment Methods in NetFlow Optimizer

NetFlow Optimizer offers several powerful mechanisms for enriching your network data.

User Identity Enrichment

Linking network traffic to specific users through integrations with directory services (e.g., Active Directory, LDAP, Microsoft Entra ID, Okta). This capability is essential for expediting incident investigations and enhancing security measures by allowing organizations to swiftly identify suspicious activities and unauthorized access. The enrichment is provided by the EDFN agent User identity monitor, which builds lookup lists correlating IPv4/IPv6 addresses with the Identity Provider (IDP) and the username. NFO supports integration with Active Directory Domain Controller, Microsoft Entra ID, Okta, and any identity management system reporting login/logout events via syslog.

To learn more, visit Configuring User Identity Enrichment.

Applications Enrichment

Identifying the specific applications generating network traffic, enabling application-aware monitoring and analysis. This enrichment goes beyond port numbers (e.g., port 80/443) by utilizing Deep Packet Inspection (DPI) and heuristics to accurately classify traffic as specific applications (e.g., Microsoft Teams, Netflix, Dropbox, SSH). This classification is critical for performing granular quality-of-service (QoS) analysis, enforcing security policies based on application identity, and gaining true visibility into application usage across the network.

VMWare vCenter Enrichment

Correlating network traffic with the names of virtual machines and associated vCenter objects, providing deep visibility into virtualized environments. This enrichment is achieved by configuring the EDFN agent with the vCenter Host/IP and read-only credentials to periodically retrieve the list of Virtual Machines and their attributes on a configurable Cron Schedule. By integrating with vCenter, NFO adds valuable context to network flows, simplifying subsequent analysis in NFO and integrated systems.

To learn more, visit Configuring VMware vCenter Enrichment.

Hostname / DNS Name Enrichment

Resolving IP addresses to hostnames or DNS names for easier identification of communicating devices. This essential enrichment automatically queries DNS services or uses internal lookup tables to replace raw numerical IP addresses with human-readable names. This transformation dramatically simplifies security investigations, performance monitoring, and reporting, allowing analysts to quickly identify endpoints (e.g., web-server-prod-01, user-laptop-smith) without manual IP lookup. This process is based on reverse DNS lookups for comprehensive coverage.

Cloud Flow Logs Enrichment (AWS, Azure, Google, Oracle)

Normalizing, enriching, and standardizing proprietary cloud-native flow logs into a unified format. NFO's cloud flow log enrichment agents process data ingested from AWS VPC Flow Logs, Azure NSG and Vnet Flow Logs, Google Cloud VPC Flow Logs, and Oracle Cloud Infrastructure (OCI) Flow Logs. The core enrichment process converts these various native formats into the standardized syslog or JSON format, while simultaneously adding crucial contextual metadata. This metadata includes Instance Names, VPC Names, Subnet IDs, Region information, and Cloud Service Enrichment (identifying the specific service, e.g., EC2, Azure Compute, Google Compute Engine) that is often missing from basic flow records. This guarantees consistent reporting and analysis across hybrid and multi-cloud environments.

Threat Intelligence / Reputation Enrichment

Flagging network communication involving known malicious actors, infrastructure, or suspicious entities based on threat feeds and reputation lists. This crucial enrichment proactively enhances threat detection by comparing source and destination IP addresses against a continuously updated Custom Threat List database. The database is populated from various sources, including manually added feeds, files, or integrated services like AlienVault OTX (supporting DNS lookups for domain indicators) and the TAXII 2.1 protocol. When a match is found, NFO tags the flow with the specific threat_list_name and associated reputation score, enabling security teams to swiftly identify and mitigate risks.

To learn more, visit Configuring Custom Threat List.

Geo Location (Country, City) Enrichment

Adding detailed geographical context, including country and city, to IP addresses. This enrichment utilizes MaxMind's GeoLite2 or GEOIP2 databases to translate IP addresses into precise geographical coordinates, including City and Country details. The MaxMind database is periodically updated on a configurable Cron Schedule using a license key and URL, ensuring that the geographical context of your network traffic, especially for external or VPN connections, is highly accurate for security analysis and compliance reporting.

To learn more, visit Configuring Geo IP Integration with MaxMind.

Device Name Enrichment (via SNMP)

Enhancing flow data by adding the names of network devices (routers, switches, firewalls, etc.) obtained through SNMP polling. This process uses SNMP to query your network devices (routers, switches, firewalls) for their sysName or other configured identifiers. NFO then creates a lookup table correlating the device's IP address with its descriptive hostname or configured device name. This context transforms raw flow data (which only contains the device IP) into an actionable record, making it easy to see which specific physical device generated the flow data.

Interface Name Enrichment (via SNMP)

Adding descriptive names to network interfaces (e.g., GigabitEthernet1/1, VLAN10) by querying devices using SNMP. This crucial enrichment supplements raw flow records by replacing numeric interface indices (e.g., ifIndex 5 or ifIndex 128) with human-readable descriptions (e.g., GigabitEthernet1/1, ISP_WAN_Uplink, or VLAN10). NFO achieves this by periodically polling the device's interface table via SNMP. This feature is vital for accurate performance monitoring and troubleshooting, as it allows engineers to quickly identify the physical or logical interface associated with a network flow event without manually cross-referencing OIDs.

Direction Enrichment

Identifying the direction of network flow (e.g., inbound, outbound, internal). This enrichment tags each flow record as either INBOUND, OUTBOUND, or INTERNAL by comparing the flow's source and destination IP addresses against a defined list of internal network subnets and ranges. This classification provides immediate, high-level context for security analysts and network operators, making it easy to focus on external threats (inbound/outbound) or troubleshoot connectivity issues within the corporate network (internal flows).

By transforming raw network data into a rich and insightful stream, NetFlow Optimizer empowers your existing security and monitoring platforms to deliver enhanced threat detection, performance analysis, and operational awareness