IP Enrichment
IP enrichment turns public IP addresses into useful context. Instead of reading
52.x.x.x in an alert, an analyst can see that the peer is AWS in a given
region, a Tor exit node, a country, or an autonomous system such as Cloudflare
or an ISP.
Enrichment is used in two places:
- In the GUI: IP badges appear in Sessions, Cartography, alerts and drawers.
- In NFQL: enrichment tables let you filter and join traffic by provider, threat feed, country or network owner.
Private and local addresses are not enriched. Your RFC1918, loopback, link-local and ULA addresses remain local cartography, not cloud or threat matches.
Sources
| Source | What it tells you | Good for |
|---|---|---|
| AWS, Azure, Google Cloud, Oracle Cloud, Cloudflare | Cloud provider, and often service or region. | Understanding cloud egress, public services and unexpected cloud peers. |
| FireHOL Level 1 | Known malicious or highly suspicious networks. | Fast triage when an alert touches a bad reputation range. |
| Tor exit nodes | Public exit points from the Tor network. | Inbound traffic that hides its origin. |
| Tor relays | Broader Tor relay and bridge list. | Internal hosts reaching into Tor infrastructure. |
| GeoIP | Country code for a public IP. | Quick visual context and coarse residency checks. |
| ASN | The network owner, such as a cloud, ISP, hoster or enterprise. | Identifying peers that are not covered by curated cloud lists. |
Google Cloud vs Google Services
Google publishes more than one useful list. Google Cloud is for GCP compute and regions. Google services covers broader Google-owned space, including addresses such as Google Public DNS. Enable both if you want both kinds of context; overlap is handled normally.
Defaults And Controls
Enrichment is enabled by default on a fresh install so the first investigation already has context.
The Connectors section contains four enrichment pages:
| Page | Controls |
|---|---|
| Cloud Attribution | AWS, Azure, Google Cloud, Google services, Oracle Cloud, Cloudflare. |
| Threat Intelligence | FireHOL Level 1, Tor exit nodes, Tor relays. |
| GeoIP | Country-level tagging. |
| ASN | Network-owner tagging. |
There are two levels of control:
- Global IP enrichment turns every enrichment source on or off.
- Per-source toggles let you disable one source without affecting the rest.
Use the global switch for air-gapped or no-outbound deployments. Use per-source toggles when a source is noisy or not useful for your environment.
Each source also has Refresh now. Most sources refresh automatically within about an hour; GeoIP and ASN refresh less often because they change slowly. Manual refresh is useful when you know a new feed has just been published.
What You See In The GUI
Enrichment appears as small badges and details next to public IPs:
10.0.0.10 (host:webserver) -> 52.10.x.x [AWS / us-west-2 / EC2]
10.0.0.11 (host:db) -> 185.x.x.x [threat / firehol_level1]
203.0.113.44 -> 10.0.0.20 [Tor exit]
In practice, this helps with everyday triage:
- A database server talking to an unexpected country stands out immediately.
- A login attempt through a Tor exit is easier to qualify.
- A host reaching a new cloud provider can become a “first seen” alert.
- ASN context tells you whether an IP belongs to a cloud, residential ISP or hosting provider.
Badges are context, not verdicts. A Tor or FireHOL tag deserves attention; it does not automatically prove compromise.
Querying Enrichment
Use enrichment_ips for traffic already seen by obserae. It contains the exact
public IPs that matched an enabled source.
# Sessions whose server side is on a threat feed
FROM enrichment_ips | WHERE nature == "threat" | KEEP ip, source
> FROM sessions
| LAST 3600
| JOIN ip == server_ip
| KEEP server_ip, prev_source, ip_a, ip_b, ab_bytes
# Top cloud providers reached in the last hour
FROM enrichment_ips | WHERE nature == "cloud" | KEEP ip, source
> FROM sessions
| LAST 3600
| JOIN ip == server_ip
| STATS bytes = SUM(ab_bytes) BY prev_source
| SORT bytes DESC
Use enrichment_ranges when you want to inspect the source ranges themselves or
test an arbitrary CIDR relationship.
# Sessions whose server is in an AWS range
FROM enrichment_ranges | WHERE source == "aws" | KEEP cidr, details
> FROM sessions
| LAST 3600
| JOIN server_ip WITHIN cidr
| KEEP server_ip, prev_details, ab_bytes
enrichment_ips is usually the best starting point for investigation queries.
enrichment_ranges is better for source review and range-level questions.
Accuracy And Limits
Cloud attribution tells you which published provider range matched. It may not identify the exact application behind a CDN, proxy or shared cloud service.
Threat-intel feeds are high-signal context, not proof. A match says the peer is listed by that source; your response still depends on direction, asset, service, history and business context.
GeoIP is country-level context. It is useful for fast scanning and rough policy questions, but it is not forensic proof of a server’s physical location, especially for cloud and CDN ranges.
ASN tells you who operates the network. It does not identify the cloud product, tenant, application or region.
Privacy
obserae fetches public provider/feed lists. It does not send your traffic, your local IPs, your cartography or your alerts to enrichment providers.
If the machine must make no outbound HTTPS requests, disable global IP enrichment. The product still works; IPs simply appear without external context.
See Also
- Connectors - where enrichment sources are managed.
- NFQL - enrichment tables and query syntax.
- Alerting - turning enrichment queries into alerts.
- Cartography - where enrichment badges appear on hosts.