Enrichment: Context Before Detection, Not After
Context Before Detection, Not After
In a traditional SIEM, enrichment happens at alert time — after the detection already fired. Lookup tables join GeoIP, threat intel, and asset data onto the alert as decoration. The detection ran on raw fields. The context arrived later. That's backwards.
Pipeline tools give you the ability to do your own enrichment — lookup functions, CSV joins, field mapping. But you're building and maintaining it yourself. You pick which fields to enrich, you upload the lookup files, you keep them current. And the tools don't understand what's in the data — you have to tell them which field is an IP, which is a user, which is a hostname.
Even when pipeline enrichment works, the enriched data still flows to a SIEM that detects on a schedule. Enriched data + batch detection = enriched data detected late.
How spotr.io Does It
spotr.io discovers the semantic types in your data — "this field is an IP, this is a hostname, this is a user principal" — and auto-enriches based on what it finds. No field mapping. No configuration. The data tells spotr.io what it is.
If the enrichment is generally useful — GeoIP, ASN, threat intel feeds, entity resolution, reputation scoring — spotr.io brings it and maintains it. Built in, updated, running. Not a DIY project.
If you have your own enrichment — asset inventories, business unit mappings, custom context tables — you can bring those too and layer them in alongside the built-in enrichment.
Enrichment happens on the stream, inline, before detection. That means "login from sanctioned country" IS the detection — not a footnote on an alert. "Connection to known-C2 infrastructure" fires because the threat intel is already part of the event when the evaluator sees it. Context becomes criteria.
The AI SOC Analyst receives signals that are already fully enriched. Triage starts with context, not a raw IP that needs manual lookup.
And the enriched data doesn't stop at detection. Pre-enriched events flow to every downstream sink — your SIEM, your data lake, your SOAR, Kafka, syslog, webhooks. Enrich once on the stream, use everywhere downstream. Every system in your stack gets better data.
The Conversation
"Who's building and maintaining your enrichment — you or the platform?" — If it's you, that's overhead you don't need.
"When does enrichment happen in your pipeline — before or after detection?" — If it's after, your detections are running without context.
"What if the platform discovered what's in your data, enriched it automatically, let you layer in your own context, and forwarded the enriched data everywhere?" — That's spotr.io.