Learn about data-enriched fields and their limitations.
Note
Data enrichement is a beta feature, supported by the Enterprise Plus license only.
Cortex XSIAM automatically enriches your Cortex Data Model (XDM) data with additional information and context. Some examples of the types of data that are enriched include:
Note
For a complete list of auto-enriched fields, see the Cortex Data Model Schema Guide.
IP addresses are enriched with geolocation information.
User data is normalized.
If DSS exists, it is also enriched.
These enrichments are important for cyber analytics, rule detection, and investigations. Since these fields are enriched automatically by default, they do not have to be mapped manually in Data Model Rules. Note that enrichment is not performed when the input fields needed for enrichment are not available.
Enriched data is calculated by the system upon ingestion, and is saved for future queries. Keep in mind that some data may change over time, such as IP addresses that may change geolocation. Therefore, checking the same IP address in external systems at a later time might return a different geolocation result.