# ElastiFlow NetIntel

{% hint style="warning" %}
In order to enable NetIntel enrichment, you need to be on version 7.x of NetObserv Flow (flowcoll) and on Elasticsearch 8.x or OpenSearch 2.x. You will also need to download and install the [latest Kibana Dashboards](https://github.com/elastiflow/elastiflow_for_elasticsearch/tree/master/kibana/flow) or [OpenSearch Dashboards](https://github.com/elastiflow/elastiflow_for_opensearch/tree/main/dashboards/flow) respectively.
{% endhint %}

## Overview

ElastiFlow NetObserv Flow provides the ability to enrich flow records with threat intelligence and app/service information provided by ElastiFlow's NetIntel feed. NetIntel can help you quickly identify threats and high-risk traffic in your environment.

## Configurations

### EF\_PROCESSOR\_ENRICH\_IPADDR\_NETINTEL\_ENABLE

Enrichment with NetIntel is enabled by default starting in NetObserv v7. If you don't want NetIntel enrichment set this option to `false`.

* Valid Values
  * `true`, `false`
* Default
  * `true`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_NETINTEL\_AS\_PREFIX\_PRECISION

It's possible for an Autonomous system to house other Autonomous systems. Therefore, a user can either get the most specific AS prefix or all the prefixes for all the Autonomous systems a packet went through.

* Valid Values
  * `all`, `exact`
* Default Value
  * `exact`

## Air-Gapped Environment Configurations

By default, the NetIntel dataset is retrieved via API requests and stored to the [Data Path](/flowcoll/configuration/config_gen/data_path.md) directory for enrichment purposes. If you want to use NetIntel enrichment in an air-gapped environment, download the dataset and specify the path to it.

{% hint style="info" %}
This feature is only available to standard or premium licensed customers.
{% endhint %}

### EF\_PROCESSOR\_ENRICH\_IPADDR\_NETINTEL\_THREAT\_COLLECTION\_PATH

Path for the downloaded Threat Collection dataset. Setting this configuration option to non-empty string disables the recurring retrieval of the Threat Collection dataset.

* Default
  * `''`
* Recommended
  * `/etc/elastiflow/netintel/threat_collection.pb`

### EF\_PROCESSOR\_ENRICH\_IPADDR\_NETINTEL\_IP\_DB\_PATH

Path for the downloaded IPDB dataset. Setting this configuration option to non-empty string disables the recurring retrieval of the IPDB dataset.

* Default
  * `''`
* Recommended
  * `/etc/elastiflow/netintel/ipdb.pb`

## Downloading the dataset

### Installing \`netobserv\` CLI Tool <a href="#install-cli-tool" id="install-cli-tool"></a>

You can download and install the `netobserv` CLI tool on Linux machines via our `deb` or `rpm` packages.

`deb`:

<pre><code>wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv_<code class="expression">space.vars.current_version</code>_linux_amd64.deb
sudo apt install ./netobserv_<code class="expression">space.vars.current_version</code>_linux_amd64.deb
</code></pre>

`rpm`:

<pre><code>wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/netobserv/netobserv-<code class="expression">space.vars.current_version</code>-1.x86_64.rpm
sudo yum install -y netobserv-<code class="expression">space.vars.current_version</code>-1.x86_64.rpm
</code></pre>

If upgrading from a previously installed `rpm`, run the following:

<pre><code>sudo rpm -Uhv netobserv-<code class="expression">space.vars.current_version</code>-1.x86_64.rpm
</code></pre>

### **Download the Dataset**

To download the NetIntel dataset, use the following command:

```shell
EF_ACCOUNT_ID="{your account id}"
EF_LICENSE_KEY="{your license key}"
EF_LICENSE_ACCEPTED="true"
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH=/etc/elastiflow/netintel/ipdb.pb \                                 
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH=/etc/elastiflow/netintel/threat_collection.pb \
/usr/share/elastiflow/bin/netobserv pull dataset --source=netintel --config={path to flowcoll.yml}
```

Or, alternatively,

```sh
EF_ACCOUNT_ID="{your account id}" \
EF_LICENSE_KEY="{your license key}" \
EF_LICENSE_ACCEPTED="true" \
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_IP_DB_PATH=/etc/elastiflow/netintel/ipdb.pb \                                 
EF_PROCESSOR_ENRICH_IPADDR_NETINTEL_THREAT_COLLECTION_PATH=/etc/elastiflow/netintel/threat_collection.pb \
/usr/share/elastiflow/bin/netobserv pull dataset --source=netintel
```

{% hint style="info" %}
You must have permission to write to the download paths (/etc/elastiflow/netintel is the default)
{% endhint %}

Then, provide the path to the dataset files in the NetObserv Flow configuration by setting the [EF\_PROCESSOR\_ENRICH\_IPADDR\_NETINTEL\_THREAT\_COLLECTION\_PATH](#ef_processor_enrich_ipaddr_netintel_threat_collection_path) and [EF\_PROCESSOR\_ENRICH\_IPADDR\_NETINTEL\_IP\_DB\_PATH](#ef_processor_enrich_ipaddr_netintel_ip_db_path) respectively.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.elastiflow.com/flowcoll/configuration/enrichment-options/ip-address-enrichment/enrich_ip_netintel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.