Enterprise threat detection (ETD) typically collects and stores a large amount of log data from various systems associated with an enterprise computing system. The collected log data is usually analyzed using forensic-type data analysis tools to identify suspicious behavior and to allow an appropriate response. While the log data contains information such as transient Internet Protocol (IP) addresses or system information, an IP address or system information in a log entry does not specifically provide information of a geographic location where the logged event occurred. This missing geographic data is extremely useful in enterprise threat detection analysis.
Additionally, transient data, such as IP addresses, can have a lifetime shorter than a time period under ETD investigation. Using such transient data in ETD can result in incomplete or erroneous analysis results.