Realm.Security Documentation

Appearance

Realm Enrichments

Overview

Realm Enrichments allow you to inject high-value data context directly into your security logs as they pass through the Realm pipeline. By enriching telemetry at the source, you empower downstream systems (like your data lake or SIEM) with forensic context, significantly speeding up query times and reducing the compute load on your analytics tools.

With Realm Enrichments, your logs arrive at their destination already enriched with geographical data, ISP information, and threat context—no more waiting for post-ingest lookups to understand the "where" and "who" of an event.

How It Works: The Configuration Workflow

Enrichments are managed through a global configuration interface that gives you granular control over what data is added and where it is applied.

Step 1: Global Enrichment Setup

On the Enrichments page, you can see all available third-party sources.

landing page

Setting up a source involves:

  • Schema Field Selection: Simply select the specific schema fields (e.g., city_name, autonomous_system_number) you want to append to your dataset.

schema

  • Data Source Mapping: Specify which of your ingested log sources should receive these enrichments. By default, Realm has already filtered the list of log sources to those that contain the join fields necessary for the enrichment.

Step 2: Destination-Level Control

output feed

We believe in giving you total control over your output feeds. Even if a log source is receiving an enrichment, you can manage the final delivery at the Destination output feed.

  • Toggle Control: Each output feed features a simple toggle to enable or disable enrichments.
  • Granular Delivery: This ensures that if you have a specific downstream tool that doesn't require extra metadata (or needs to stay "lean"), you can opt it out with one click on the Output Feed Editor.

Technical Specifications

FeatureSpecification
Output FormatJSON output feeds only
Default StateDisabled for all eligible output feeds
Metadata TaggingAll enriched data is appended to logs first in the pipeline for easy filtering in destination systems.
Update FrequencyDaily automated refresh for all 3rd party datasets.

Supported Enrichment Sources

For the current release, Realm supports industry-leading third-party data providers to ensure your logs are backed by the most accurate global IP metadata. We will have additional enrichments for Threat Intelligence and Custom Look Ups coming soon!

1. MaxMind (GeoLite2)

  • Focus: Geographic location data.
  • Context: Provides city, country, and latitude/longitude coordinates.
  • Refresh: Automatically updated on a daily interval to ensure accuracy.

2. IPinfo (Lite)

  • Focus: ISP and ASN metadata.
  • Context: Adds deep IP context, including carrier information and organizational ownership.
  • Refresh: Automatically updated on a daily interval.

Operational Impact

Why Enrich at the Pipeline?

  • Accelerated Investigations: Analysts can immediately see the origin and ownership of an IP without performing manual lookups during an incident.
  • Compute Savings: By enriching data once in the Realm pipeline, you avoid the high cost of performing "JOIN" operations or lookup scripts repeatedly in your SIEM or Data Lake.
  • Consistent Schema: Realm ensures that enrichments follow a standardized format, making it easier to build dashboards that work across different log types.
  • Dynamic Log Optimization: Enrichments facilitate more dynamic and contextualized log optimizations. This ensures that logs matching threat intelligence are never filtered out, while generic network logs can be better contextualized to differentiate between noise and critical signals before reaching your security tools.