Enrichments

Enrichments automatically add contextual information to your log data during ingestion. nano supports IP geolocation, ASN data, threat intelligence, anonymizer detection, and custom enrichment sources to enhance your security analysis capabilities.

Overview

When logs are ingested, nano can automatically enrich IP addresses, domains, and hashes with:

• Geolocation Data: Country, continent, and region information
• ASN Information: Internet service provider and organization details
• Threat Intelligence: Known malicious IPs, domains, and file hashes
• Anonymizer Detection: TOR exit nodes and other anonymizing proxies
• Custom Data: Any external API or threat feed via custom enrichments

This enriched data becomes searchable and can be used in detections, dashboards, and investigations.

Built-in Enrichment Sources

nano includes three built-in enrichment sources out of the box:

You can also create Custom Enrichments to integrate any external API or threat feed.

How Enrichment Works

Enrichments work by:

1. Ingestion-time enhancement — Data is enriched as it enters the system
2. Automatic lookups — IP addresses, domains, and hashes are matched against enrichment databases
3. Zero-downtime updates — Enrichment data can be updated without interrupting log processing
4. Bulk processing — Optimized for high-volume log ingestion

Quick Start

1. Navigate to Marketplace in the left sidebar
2. Find an enrichment — search by name or click the Data tab to browse data enrichments
3. Configure the source (URL, API key, etc.)
4. Sync to download initial data
5. Enable the enrichment

See the individual source pages for detailed setup instructions:

• IPInfo Lite — IP geolocation and ASN data
• ThreatFox — Malware and botnet IOCs
• TOR Exit Nodes — Anonymizer detection
• Custom Enrichments — Build your own integrations

Next Steps

• Field Reference — Complete list of all enrichment fields
• Architecture — How the enrichment system works internally
• Troubleshooting — Diagnose and fix common issues