Enrichment Workflows

Purpose and Scope

Enrichment workflows automatically add context to security alerts by querying threat intelligence, asset databases, and external services. Well designed enrichment reduces analyst workload, improves triage decisions, and surfaces high priority incidents faster.

Prerequisites

• SIEM or SOAR platform: Splunk, Sentinel, Elastic, XSOAR, Phantom, or similar
• API access: Keys for threat intel services (VirusTotal, OTX, Shodan, etc.)
• Asset inventory: CMDB or asset database with owner and criticality data
• User directory: Integration with Active Directory or identity provider

Enrichment Goals

Effective enrichment answers:

• Is this indicator known malicious?
• What asset is affected and how critical is it?
• Who owns or uses this system?
• Have we seen this indicator elsewhere in our environment?
• What threat actor or campaign is associated with this activity?

Enrichment Data Sources

Threat Intelligence

• VirusTotal: File, URL, domain, and IP reputation
• AlienVault OTX: Pulse context and indicator relationships
• Shodan: Host exposure and service details
• AbuseIPDB: IP address abuse reports
• GreyNoise: Internet scanner identification
• Commercial feeds: Recorded Future, Mandiant, CrowdStrike, etc.

Internal Context

• Asset inventory: Hostname, OS, owner, business unit, criticality
• User directory: Job title, department, manager, privileged status
• Vulnerability data: Known vulnerabilities on affected assets
• Recent changes: Configuration or deployment activity
• Historical alerts: Previous security events involving this entity

External Context

• WHOIS: Domain registration details
• GeoIP: Location data for IP addresses
• ASN lookup: Network ownership information
• urlscan.io: Website screenshots and resources
• Certificate transparency: Related certificates and domains

Enrichment Architecture

At Ingest Time

Enrich events as they enter the SIEM:

• Add GeoIP data to all external IP addresses
• Resolve hostnames to asset inventory records
• Tag events with user attributes from directory
• Mark known IOCs from cached threat feeds

Pros: Data available immediately for all queries. Cons: Processing overhead, storage costs.

At Alert Time

Enrich when an alert fires:

• Query live APIs for current reputation
• Pull detailed asset and user context
• Check for related alerts in recent timeframes
• Run expensive lookups only for alerts that matter

Pros: Fresh data, lower storage costs. Cons: API rate limits, latency.

On Demand

Enrich during analyst investigation:

• Deep enrichment triggered by analyst request
• Interactive pivoting through related data
• Useful for complex or novel indicators

Building Enrichment Playbooks

1. Define Trigger Conditions

• Which alerts or event types trigger enrichment?
• What indicator types need enrichment?
• Are there severity thresholds?

2. Select Enrichment Sources

Match sources to indicator types:

• IP addresses: VirusTotal, AbuseIPDB, GreyNoise, GeoIP, ASN
• Domains: VirusTotal, WHOIS, urlscan.io, passive DNS
• URLs: VirusTotal, urlscan.io, Google Safe Browsing
• Hashes: VirusTotal, MalwareBazaar, Hybrid Analysis
• Users: Active Directory, HR system, previous alerts
• Hosts: CMDB, vulnerability scanner, EDR

3. Design Query Logic

• Extract indicator from alert fields
• Validate indicator format before querying
• Handle API errors gracefully
• Implement rate limiting and caching
• Set timeouts for slow responses

4. Normalize and Store Results

• Map API responses to common schema
• Extract key fields: reputation score, categories, first seen
• Attach results to the original alert
• Store for analyst review and historical reference

5. Define Actions Based on Results

• Increase alert severity if indicator is known malicious
• Auto close if indicator is known benign (with caution)
• Route critical asset alerts to senior analysts
• Create tickets for confirmed incidents
• Add to blocklist if confidence is high

Example Workflow: IP Reputation Enrichment

Trigger: Alert with external IP address

1. Extract destination IP from alert
2. Query VirusTotal for reputation and detected URLs
3. Query AbuseIPDB for abuse reports
4. Query GreyNoise to identify benign scanners
5. Query GeoIP for location and ASN
6. Query asset inventory for affected host details
7. Aggregate scores and flag high risk indicators
8. Update alert with enrichment summary
9. Route based on combined risk score

Caching and Rate Limiting

• Cache results for a defined TTL (e.g., 1 hour for reputation)
• Track API usage against rate limits
• Queue requests when approaching limits
• Prioritize enrichment for high severity alerts
• Fall back gracefully when services are unavailable

Validation and Tuning

• Review enrichment results for accuracy
• Track false positive rates for auto close logic
• Adjust scoring thresholds based on experience
• Monitor API costs and optimize query frequency
• Remove enrichment sources that add noise without value

Common Pitfalls

• Over enriching: Adding data nobody uses
• Ignoring rate limits: Getting blocked by APIs
• No caching: Redundant queries for repeated indicators
• Trusting single sources: One reputation score is not definitive
• No fallback: Workflow breaks when API is down

Escalation Guidance

Enrichment should inform escalation:

• Known malicious indicator + critical asset = immediate escalation
• Unknown indicator + anomalous behavior = investigation queue
• Known benign + expected pattern = lower priority
• Failed enrichment = manual review required

References

• Splunk Phantom Documentation
• Palo Alto XSOAR Playbook Guide
• Microsoft Sentinel Playbooks
• VirusTotal API Documentation
• NIST SP 800-61: Computer Security Incident Handling Guide