Data Enrichment
Raw logs rarely contain all the context needed for effective analysis. Data Enrichment lets you append contextual fields to your logs—automatically during ingestion, or dynamically at query time—without changing how you send data. Use it to add business metadata, geographic context, AWS infrastructure tags, or security threat indicators to every matching log.
Navigate to Data Flow, then Data Enrichment to manage all enrichments from a single screen.
Enrichment types
Coralogix provides four built-in enrichment types. Each type targets a specific domain and can be configured through the unified editor.
Unified Threat Intelligence
Automatically checks IP addresses, URLs, and domains in your logs against curated threat intelligence feeds maintained by Coralogix security experts. When a value matches a known threat, a <key_name>_suspected field is appended to the log containing the matched value, the feeds that reported it, and a confidence score.
Use this enrichment to detect phishing attempts, command-and-control traffic, brute-force scanning, and data exfiltration in real time—without API integrations or custom configuration.
Set up Unified Threat Intelligence →
Geo Enrichment
Resolves IP addresses in your logs to geographic location data, including country, city, continent, postal code, and coordinates. Optionally adds ASN (Autonomous System Number) information to identify the network or organization behind the IP.
Use this enrichment to visualize traffic on a map, investigate geographic anomalies, and filter logs by region.
AWS Resource Enrichment
Appends EC2 instance tags from your AWS environment to logs that contain an instance ID field. Tags are collected every 10 minutes via a Lambda function deployed in your account.
Use this enrichment to correlate logs with business and operational metadata from AWS—such as team, environment, or cost center tags—without re-instrumenting your applications.
Set up AWS Resource Enrichment →
Custom Enrichment
Enriches logs by matching a log field against a column in a CSV file you upload. Each matching row appends additional columns from that CSV to the log as new fields. Supports both simple key-value mappings and multi-column JSON-style enrichments.
Use this enrichment to add customer names, product details, user roles, or any other lookup data that lives outside your logs.
Add an enrichment
Two ways to add an enrichment from the Data Enrichment screen:
- Select a type shortcut card—Enrich threat intelligence, Enrich geo location, Enrich AWS metadata, or Enrich custom data—to open the editor with the type pre-selected.
- Select + Add enrichment, choose a type in the editor, then configure the enrichment.
Manage enrichments
The enrichments table lists all configured enrichments with their type, name, source, key, and status. Select any row to open the editor and update the configuration. Select Delete in the row actions to remove an enrichment.
For custom enrichments, the more actions menu also provides:
- Download CSV — retrieve the uploaded CSV file.
- View in Explore screen — preview the enrichment data as a queryable dataset in Explore.
Enrichment methods
Each enrichment type supports two modes:
- Automatic enrichment during ingestion — Coralogix appends fields to logs as they are ingested and stored. Enriched fields are available everywhere in Coralogix, including Alerts and Custom Dashboards, and in any external tools that read from your archive.
- DataPrime query enrichment — Use the
enrichoperator to enrich logs dynamically at query time. The enrichment is not stored; it applies only to the current query results. This works retroactively on previously ingested logs.
Enrichment keys
Each log field configured for automatic enrichment counts as one enrichment key. The keys indicator at the top of the Data Enrichment screen shows your current usage against your plan limit.
Files exceeding 10,000 rows (for custom enrichments) can only be used for DataPrime query enrichment, not for automatic ingestion enrichment. CSV files are limited to 150,000 rows total.
Additional resources
