Enrichments
Enrichment Field Reference
Enrichment Field Reference
This reference documents all fields added by nano's enrichment system and how to use them in searches and detection rules.
IP Geolocation Fields (IPInfo Lite)
When IP addresses are enriched with IPInfo Lite, the following fields are automatically added to log records.
Source IP Enrichment
Applied to the src_ip field when present:
| Field | Type | Description | Example |
|---|---|---|---|
enriched_src_country | string | Full country name | "United States" |
enriched_src_country_code | string | ISO 3166-1 alpha-2 country code | "US" |
enriched_src_continent | string | Continent name | "North America" |
enriched_src_continent_code | string | Continent code | "NA" |
enriched_src_asn | string | Autonomous System Number | "AS15169" |
enriched_src_as_name | string | Organization/ISP name | "Google LLC" |
enriched_src_as_domain | string | Organization domain | "google.com" |
Destination IP Enrichment
Applied to the dest_ip field when present:
| Field | Type | Description | Example |
|---|---|---|---|
enriched_dest_country | string | Full country name | "Germany" |
enriched_dest_country_code | string | ISO 3166-1 alpha-2 country code | "DE" |
enriched_dest_continent | string | Continent name | "Europe" |
enriched_dest_continent_code | string | Continent code | "EU" |
enriched_dest_asn | string | Autonomous System Number | "AS3320" |
enriched_dest_as_name | string | Organization/ISP name | "Deutsche Telekom AG" |
enriched_dest_as_domain | string | Organization domain | "telekom.de" |
IOC Fields (ThreatFox & TOR Exit Nodes)
Both ThreatFox and TOR Exit Nodes are IOC (Indicator of Compromise) enrichment sources. They share a common set of fields that are populated when a match is found.
IP-Based IOC Fields
| Field Pattern | Description | Example Values |
|---|---|---|
ioc_[src|dest]_ip_threat_type | Threat category | "botnet_cc", "payload_delivery", "anonymizer" |
ioc_[src|dest]_ip_malware | Malware family | "Cobalt Strike", "Emotet", "" |
ioc_[src|dest]_ip_confidence | Confidence (0-100) | 85, 90, 100 |
ioc_[src|dest]_ip_tags | Array of tags | ["tor_exit", "anonymizer"] |
Domain & Hash IOC Fields
| Field | Description | Example Values |
|---|---|---|
ioc_domain_threat_type | Domain threat type | "phishing", "malware" |
ioc_domain_malware | Domain malware family | "QakBot" |
ioc_domain_confidence | Domain match confidence | 75 |
ioc_hash_threat_type | File hash threat type | "trojan", "ransomware" |
ioc_hash_malware | Hash malware family | "LockBit" |
Custom Enrichment Fields
Custom enrichments add fields based on whether the IOC toggle is enabled.
Non-IOC Custom Fields
| Field | Description |
|---|---|
custom_src_ip_tags / custom_dest_ip_tags | Tags for IP addresses |
custom_src_ip_risk / custom_dest_ip_risk | Risk scores (0-100) |
custom_domain_tags / custom_domain_risk | Domain enrichment |
custom_hash_tags / custom_hash_risk | File/process hash enrichment |
custom_url_tags / custom_url_risk | URL enrichment |
IOC Custom Fields
| Field | Description |
|---|---|
custom_ioc_src_ip_threat_type / custom_ioc_dest_ip_threat_type | Threat type from custom IOC source |
custom_ioc_src_ip_confidence / custom_ioc_dest_ip_confidence | Confidence from custom IOC source |
custom_ioc_src_ip_malware / custom_ioc_dest_ip_malware | Malware family from custom IOC source |
custom_ioc_domain_threat_type / custom_ioc_domain_confidence | Domain threat from custom IOC source |
custom_ioc_hash_threat_type / custom_ioc_hash_confidence | Hash threat from custom IOC source |
Search Examples
Geographic Searches
Find traffic from specific countries:
enriched_src_country_code = "CN" OR enriched_dest_country_code = "CN"Traffic between continents:
enriched_src_continent = "Asia" AND enriched_dest_continent = "North America"Exclude domestic traffic:
NOT (enriched_src_country_code = "US" AND enriched_dest_country_code = "US")Network/Organization Searches
Find traffic from cloud providers:
enriched_src_as_name LIKE "%Amazon%" OR enriched_src_as_name LIKE "%Google%" OR enriched_src_as_name LIKE "%Microsoft%"Monitor specific ASNs:
enriched_src_asn = "AS15169" OR enriched_dest_asn = "AS15169"IOC Searches
Any IOC match (source or destination):
ioc_src_ip_threat_type != "" OR ioc_dest_ip_threat_type != ""High confidence matches only:
ioc_src_ip_confidence >= 80 OR ioc_dest_ip_confidence >= 80Specific threat types:
ioc_dest_ip_threat_type IN ("botnet_cc", "payload_delivery")Exclude anonymizers (TOR):
ioc_dest_ip_threat_type != "" AND ioc_dest_ip_threat_type != "anonymizer"TOR exit node traffic:
has(ioc_src_ip_tags, 'tor_exit') OR has(ioc_dest_ip_tags, 'tor_exit')Custom Enrichment Searches
High risk IPs:
custom_src_ip_risk >= 70 OR custom_dest_ip_risk >= 70Tagged traffic:
has(custom_src_ip_tags, 'tor_exit')Custom IOC matches:
custom_ioc_src_ip_threat_type != "" OR custom_ioc_dest_ip_threat_type != ""Detection Rule Examples
Geographic Anomaly Detection
name: "Unusual Source Country"
description: "Detect connections from unexpected countries"
query: |
enriched_src_country_code NOT IN ("US", "CA", "GB", "DE", "FR")
AND src_ip NOT IN CIDR("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
severity: mediumIOC-Based Detection
name: "ThreatFox IOC Match"
description: "Detect traffic to known malware infrastructure"
query: |
ioc_dest_ip_threat_type != ""
OR ioc_domain_threat_type != ""
severity: highTOR Detection
name: "TOR Exit Node Communication"
description: "Detects traffic to or from known TOR exit nodes"
query: |
ioc_src_ip_threat_type = "anonymizer"
OR ioc_dest_ip_threat_type = "anonymizer"
severity: mediumAggregation Examples
Top Countries by Traffic
SELECT enriched_src_country, COUNT(*) as connection_count
FROM logs
WHERE enriched_src_country IS NOT NULL
GROUP BY enriched_src_country
ORDER BY connection_count DESC
LIMIT 10ASN Distribution
SELECT enriched_src_asn, enriched_src_as_name, COUNT(*) as traffic_count
FROM logs
WHERE enriched_src_asn IS NOT NULL
GROUP BY enriched_src_asn, enriched_src_as_name
ORDER BY traffic_count DESC
LIMIT 20IOC Match Summary
SELECT ioc_dest_ip_threat_type, ioc_dest_ip_malware, COUNT(*) as match_count
FROM logs
WHERE ioc_dest_ip_threat_type != ""
GROUP BY ioc_dest_ip_threat_type, ioc_dest_ip_malware
ORDER BY match_count DESCField Availability
When Fields Are Present
Enrichment fields are added when:
- Log contains valid
src_ipordest_ipfields - IP address is public (not private/internal)
- IP address exists in enrichment database
- Enrichment source is enabled and synced
When Fields Are Missing
Fields may be absent when:
- No IP address in log record
- IP is private/internal (RFC 1918)
- IP not found in enrichment database
- Enrichment source disabled or not synced
Private IP Ranges (Not Enriched)
The following IP ranges are not enriched as they're private/internal:
10.0.0.0/8— Private networks172.16.0.0/12— Private networks192.168.0.0/16— Private networks127.0.0.0/8— Loopback169.254.0.0/16— Link-local224.0.0.0/4— Multicast
Performance Considerations
Indexing
Enrichment fields are automatically indexed for fast searches:
- Country codes and ASNs are optimized for exact matches
- Organization names support both exact and wildcard searches
- Geographic fields are indexed for dashboard aggregations
Query Optimization
Efficient queries:
-- Use country codes for exact matches
enriched_src_country_code = "CN"
-- Use ASN for network-based searches
enriched_src_asn = "AS15169"
-- Use IOC threat type for IOC searches
ioc_dest_ip_threat_type = "botnet_cc"Less efficient queries:
-- Avoid wildcards on large text fields
enriched_src_as_name LIKE "%Corp%"
-- Prefer specific fields over broad searches
enriched_src_country LIKE "%United%"