Data enrichment

Manage Coralogix data enrichment rules directly from your AI agent. The Model Context Protocol (MCP) server provides a unified tool to create, retrieve, update, and delete supported enrichment rules, and to generate infrastructure-as-code definitions from enrichment configurations.

Tool

Use manage_data_enrichments for all data enrichment rule operations.
Action value Description
create Create 1 or more data enrichment rules.
get Retrieve a specific data enrichment by ID.
list List supported data enrichment rules with an optional case-insensitive field-name filter.
update Replace 1 existing enrichment. The enrichment definition must include the existing ID.
delete Delete a data enrichment by ID.
generate_openapi Generate the OpenAPI JSON payload for use with the Coralogix REST API.
generate_kubernetes Generate a Kubernetes Operator YAML manifest for the Coralogix Operator.
generate_terraform Generate Terraform configuration for the Coralogix Terraform Provider.

Supported enrichment types

The tool supports the shared Terraform and Kubernetes Operator subset:
Type Key Fields
Geo enrichment geoIp fieldName, enrichedFieldName, selectedColumns, withAsn
Unified Threat Intelligence suspiciousIp fieldName, enrichedFieldName, selectedColumns
AWS resource enrichment aws fieldName, enrichedFieldName, selectedColumns, resourceType

Example prompts

List enrichment rules

List all supported Coralogix data enrichment rules.

Create enrichment rules

Create a geoIp data enrichment for fieldName client.ip with enrichedFieldName
client_geo and selectedColumns city and country. Also create a suspiciousIp
data enrichment for fieldName source.ip with enrichedFieldName source_threat.

Create an AWS enrichment

Create an AWS data enrichment with fieldName aws.resource_id,
enrichedFieldName aws_metadata, selectedColumns accountId and region,
and resourceType AWS::EC2::Instance.

Generate infrastructure as code

Generate OpenAPI JSON, Kubernetes YAML, and Terraform configuration for geoIp,
suspiciousIp, and aws data enrichment rules. Use fieldName preview.geo,
preview.suspicious, and preview.aws. Do not create or apply anything.

Important behaviors

Custom CSV enrichment is not supported. The tool rejects custom enrichment data and raw enrichment type payloads.
Update replaces 1 enrichment. Provide exactly 1 enrichment with its existing ID.
List filtering uses field names. Data enrichment rules do not have a single stable user-facing resource name.
AWS enrichment rules require a resource type. For example, use AWS::EC2::Instance.

Need help? Contact Support.

What's new? Find out here.

LLM? Read llms.txt.

Previous Parsing Rules

Next Recording rules

Action value	Description
`create`	Create 1 or more data enrichment rules.
`get`	Retrieve a specific data enrichment by ID.
`list`	List supported data enrichment rules with an optional case-insensitive field-name filter.
`update`	Replace 1 existing enrichment. The enrichment definition must include the existing ID.
`delete`	Delete a data enrichment by ID.
`generate_openapi`	Generate the OpenAPI JSON payload for use with the Coralogix REST API.
`generate_kubernetes`	Generate a Kubernetes Operator YAML manifest for the Coralogix Operator.
`generate_terraform`	Generate Terraform configuration for the Coralogix Terraform Provider.

Type	Key	Fields
Geo enrichment	`geoIp`	`fieldName`, `enrichedFieldName`, `selectedColumns`, `withAsn`
Unified Threat Intelligence	`suspiciousIp`	`fieldName`, `enrichedFieldName`, `selectedColumns`
AWS resource enrichment	`aws`	`fieldName`, `enrichedFieldName`, `selectedColumns`, `resourceType`