The Contemplator Approach: Data Enrichment Through Elastic Stack

BSidesLV 2019

Presented by: Rodrigo Brenes, Pedro Rodriguez
Date: Tuesday August 06, 2019
Time: 15:00 - 15:55
Location: Common Ground

IT and Security Teams collect data from as many sources as possible with the mindset of detecting malicious activities, anomalies, performance monitoring or troubleshooting.

Data can tell more than just what the log shows.

The contemplator approach is about understanding your data and what else it can tell through enrichment, even if it is not related to the primary purpose of the log. For this approach, data enrichment is classified in 3 categories: format, intelligence and labeling. Each category helps in understanding what type of enrichment can be applied to given fields in a log.

Data enrichment increases the context, opening human and machine learning eyes to a wider picture of happenings.

Happenings can be used for security monitoring, security reporting, compliance or business intelligence.

Data enrichment can be used to detect licensed software downloaded from an embargoed country, acquisitions involving competitors, network scans and DDoS orchestrated using a given network carrier, scam calls, pricing espionage in ecommerce websites, companies looking at your website content, and more.

You only see what your logs want you to see. What else can you see?

Rodrigo Brenes

Professional on Information Technology with over seven years of work experience in the Information Security field. He has worked for large companies, including HP and IBM on Enterprise Vulnerability Management and Secure Operation Center, and he is currently employed as the Information Security Operations Lead at National Instruments. In his current role, Rodrigo supports the security event and incident management plus other security initiatives and projects.

Pedro Rodriguez

Graduated from the Costa Rican Institute of Technology with a BS in Computer Science in 2017. Started working as an intern in National Instruments, getting a full-time position later as a Information Security Analyst. Currently in charge of managing the logs throughout the Elastic Stack platform, incident response and also testing new tools related to security, he is currently pursuing a certification as a Cloud Security specialist and architect.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats