Enrichment Sources

This topic explains options for adding an external data source to provide additional information in alerts. Enrichment sources provide additional information in alerts. For example, an in-memory table can provide a full name, title, office location, and employee number if a user matches rule criteria. The following types of enrichment sources are available:

  • Context Hub List (Preferred)
  • In-Memory Table (Ad hoc only)
  • GeoIP

Note: Database, Database Connection, Warehouse Analytics, and Recurring In-Memory Tables as enrichment sources are not supported for the ESA Correlation service in NetWitness 11.3 and later.

It is preferable to use Context Hub List enrichment sources instead of In-Memory Table enrichment sources. You can share Context Hub List enrichment sources across the NetWitness. You can only use the In-Memory Table with ESA. Recurring In-Memory Tables are no longer supported; use Content Hub Lists as enrichment sources.

Note: The geoIP enrichment source can neither be created nor deleted. It is provided out of the box to the user.