Define your own enrichment

From khika
Revision as of 12:54, 5 June 2019 by Rajesh kulkarni (talk | contribs) (Created page with "=== Introduction === Enrichment, as the word suggests, can be used to add context to the streaming data. At its simplest level, you can enrich the data at run time by referrin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

Enrichment, as the word suggests, can be used to add context to the streaming data. At its simplest level, you can enrich the data at run time by referring to external an CSV file. Some of the example could be as under

  • A csv file can contain information about the inventory (such as name of computer, location, owner, service tag) with name of computer as primary key. You can use this information to enrich the windows AD logs to add more context to the login information
  • If you have a CSV database of IPs with bad reputation with IP address as primary key and country, city etc as other columns, you can very will refer to this information to streaming filewall logs to enrich any communication with bad IPs

There could be several more examples how you can use static CSV based enrichment. You can change these CSV file dynamically and KHIKA will consume it immediately.

More advanced and real cool things about enrichment is it's ability to build the CSV database from a streaming data source and being able to use it in other data source for enrichment. Using this ability, you can literally correlate or stich the logs from different data sources at run time, if they have a field in common. Some of the examples could be as under

Retrieved from "http://khika.com/wiki/index.php?title=Define_your_own_enrichment&oldid=561"