Location enrichment in enterprise threat detection

What is claimed is: 1. A computer-implemented method, comprising: receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment; receiving log event data in the SDS; normalizing the log event data in the SDS as normalized log event data; enriching the normalized log event data with the subnet information and the location information as enriched log event data; writing the enriched log event data into a log event persistence in the database; and using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value. 2. The computer-implemented method of claim 1 , wherein the subnet information and the location information is maintained in the database. 3. The computer-implemented method of claim 2 , wherein system information is maintained in the database, and wherein a particular system of the system information is associated with a particular location of the location information by a particular globally unique location ID value. 4. The computer-implemented method of claim 1 , comprising: reading the subnet information and the location information from the database; and writing the subnet information and the location information into the subnet-location cache of the SDS. 5. The computer-implemented method of claim 4 , wherein the subnet information and the location information is read from the subnet-location persistence and written to the subnet-location cache using an SDS database in adapter coupling the database and the SDS. 6. The computer-implemented method of claim 1 , wherein the enriched log event data is written to the log event persistence using an SDS database out adapter coupling the SDS and the database. 7. The computer-implemented method of claim 1 , comprising enriching the normalized log event data with a determined subnet ID value. 8. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising: receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment; receiving log event data in the SDS; normalizing the log event data in the SDS as normalized log event data; enriching the normalized log event data with the subnet information and the location information as enriched log event data; writing the enriched log event data into a log event persistence in the database; and using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value. 9. The non-transitory, computer-readable medium of claim 8 , wherein the subnet information and the location information is maintained in the database. 10. The non-transitory, computer-readable medium of claim 9 , wherein system information is maintained in the database, and wherein a particular system of the system information is associated with a particular location of the location information by a particular globally unique location ID value. 11. The non-transitory, computer-readable medium of claim 8 , comprising one or more instructions to: read the subnet information and the location information from the database; and write the subnet information and the location information into the subnet-location cache of the SDS. 12. The non-transitory, computer-readable medium of claim 11 , wherein the subnet information and the location information is read from the subnet-location persistence and written to the subnet-location cache using an SDS database in adapter coupling the database and the SDS. 13. The non-transitory, computer-readable medium of claim 8 , wherein the enriched log event data is written to the log event persistence using an SDS database out adapter coupling the SDS and the database. 14. The non-transitory, computer-readable medium of claim 8 , comprising one or more instructions to enrich the normalized log event data is enriched with a determined subnet ID value. 15. A computer-implemented system, comprising: a computer memory; and a hardware processor interoperably coupled with the computer memory and configured to perform operations comprising: receiving subnet information and location information from a database into a smart data streaming engine (SDS) subnet-location cache, wherein a particular subnet of the subnet information is associated with a particular location of the location information by a globally unique location ID value, and wherein the information is stored in the subnet-location cache in the form of a dictionary table and a vector for fast data enrichment; receiving log event data in the SDS; normalizing the log event data in the SDS as normalized log event data; enriching the normalized log event data with the subnet information and the location information as enriched log event data; writing the enriched log event data into a log event persistence in the database; and using a subnet ID value retrieved from an enriched log event of the enriched log event data by an enterprise threat detection (ETD) system to determine a location associated with the enriched log event using the location ID value associated with the subnet ID value. 16. The computer-implemented system of claim 15 , wherein the subnet information and the location information is maintained in the database. 17. The computer-implemented system of claim 16 , wherein system information is maintained in the database, and wherein a particular system of the system information is associated with a particular location of the location information by a particular globally unique location ID value. 18. The computer-implemented system of claim 15 , configured to: read the subnet information and the location information from the database; and write the subnet information and the location information into the subnet-location cache of the SDS. 19. The computer-implemented system of claim 18 , wherein the subnet information and the location information is read from the subnet-location persistence and written to the subnet-location cache using an SDS database in adapter coupling the database and the SDS, and wherein the enriched log event data is written to the log event persistence using an SDS database out adapter coupling the SDS and the database. 20. The computer-implemented system of claim 15 , configured to enrich the normalized log event data is enriched with a determined subnet ID value.