Daily Use

IP Enrichment

IP enrichment turns public IP addresses into useful context. Instead of reading 52.x.x.x in an alert, an analyst can see that the peer is AWS in a given region, a Tor exit node, a country, or an autonomous system such as Cloudflare or an ISP.

Enrichment is used in two places:

  • In the GUI: IP badges appear in Sessions, Cartography, alerts and drawers.
  • In NFQL: enrichment tables let you filter and join traffic by provider, threat feed, country or network owner.

Private and local addresses are not enriched. Your RFC1918, loopback, link-local and ULA addresses remain local cartography, not cloud or threat matches.


Sources

SourceWhat it tells youGood for
AWS, Azure, Google Cloud, Oracle Cloud, CloudflareCloud provider, and often service or region.Understanding cloud egress, public services and unexpected cloud peers.
FireHOL Level 1Known malicious or highly suspicious networks.Fast triage when an alert touches a bad reputation range.
Tor exit nodesPublic exit points from the Tor network.Inbound traffic that hides its origin.
Tor relaysBroader Tor relay and bridge list.Internal hosts reaching into Tor infrastructure.
GeoIPCountry code for a public IP.Quick visual context and coarse residency checks.
ASNThe network owner, such as a cloud, ISP, hoster or enterprise.Identifying peers that are not covered by curated cloud lists.

Google Cloud vs Google Services

Google publishes more than one useful list. Google Cloud is for GCP compute and regions. Google services covers broader Google-owned space, including addresses such as Google Public DNS. Enable both if you want both kinds of context; overlap is handled normally.


Defaults And Controls

Enrichment is enabled by default on a fresh install so the first investigation already has context.

The Connectors section contains four enrichment pages:

PageControls
Cloud AttributionAWS, Azure, Google Cloud, Google services, Oracle Cloud, Cloudflare.
Threat IntelligenceFireHOL Level 1, Tor exit nodes, Tor relays.
GeoIPCountry-level tagging.
ASNNetwork-owner tagging.

There are two levels of control:

  • Global IP enrichment turns every enrichment source on or off.
  • Per-source toggles let you disable one source without affecting the rest.

Use the global switch for air-gapped or no-outbound deployments. Use per-source toggles when a source is noisy or not useful for your environment.

Each source also has Refresh now. Most sources refresh automatically within about an hour; GeoIP and ASN refresh less often because they change slowly. Manual refresh is useful when you know a new feed has just been published.


What You See In The GUI

Enrichment appears as small badges and details next to public IPs:

10.0.0.10 (host:webserver) -> 52.10.x.x  [AWS / us-west-2 / EC2]
10.0.0.11 (host:db)        -> 185.x.x.x  [threat / firehol_level1]
203.0.113.44               -> 10.0.0.20  [Tor exit]

In practice, this helps with everyday triage:

  • A database server talking to an unexpected country stands out immediately.
  • A login attempt through a Tor exit is easier to qualify.
  • A host reaching a new cloud provider can become a “first seen” alert.
  • ASN context tells you whether an IP belongs to a cloud, residential ISP or hosting provider.

Badges are context, not verdicts. A Tor or FireHOL tag deserves attention; it does not automatically prove compromise.


Querying Enrichment

Use enrichment_ips for traffic already seen by obserae. It contains the exact public IPs that matched an enabled source.

# Sessions whose server side is on a threat feed
FROM enrichment_ips | WHERE nature == "threat" | KEEP ip, source
> FROM sessions
  | LAST 3600
  | JOIN ip == server_ip
  | KEEP server_ip, prev_source, ip_a, ip_b, ab_bytes
# Top cloud providers reached in the last hour
FROM enrichment_ips | WHERE nature == "cloud" | KEEP ip, source
> FROM sessions
  | LAST 3600
  | JOIN ip == server_ip
  | STATS bytes = SUM(ab_bytes) BY prev_source
  | SORT bytes DESC

Use enrichment_ranges when you want to inspect the source ranges themselves or test an arbitrary CIDR relationship.

# Sessions whose server is in an AWS range
FROM enrichment_ranges | WHERE source == "aws" | KEEP cidr, details
> FROM sessions
  | LAST 3600
  | JOIN server_ip WITHIN cidr
  | KEEP server_ip, prev_details, ab_bytes

enrichment_ips is usually the best starting point for investigation queries. enrichment_ranges is better for source review and range-level questions.


Accuracy And Limits

Cloud attribution tells you which published provider range matched. It may not identify the exact application behind a CDN, proxy or shared cloud service.

Threat-intel feeds are high-signal context, not proof. A match says the peer is listed by that source; your response still depends on direction, asset, service, history and business context.

GeoIP is country-level context. It is useful for fast scanning and rough policy questions, but it is not forensic proof of a server’s physical location, especially for cloud and CDN ranges.

ASN tells you who operates the network. It does not identify the cloud product, tenant, application or region.


Privacy

obserae fetches public provider/feed lists. It does not send your traffic, your local IPs, your cartography or your alerts to enrichment providers.

If the machine must make no outbound HTTPS requests, disable global IP enrichment. The product still works; IPs simply appear without external context.


See Also

  • Connectors - where enrichment sources are managed.
  • NFQL - enrichment tables and query syntax.
  • Alerting - turning enrichment queries into alerts.
  • Cartography - where enrichment badges appear on hosts.