Stop Googling IPs at 2 AM: Automated Threat Intel

L1 Analysts Are Burning Out on Lookups. Automation Stops That.

It is 2 AM. An alert fires. A suspicious IP shows up in the logs and a Level 1 analyst opens VirusTotal in one tab, AbuseIPDB in another, Shodan in a third, and maybe one more for MISP. That process takes 15 to 30 minutes per alert. Multiply that by the 4,400-plus alerts the average SOC receives every day, and you have a team that is not doing security, it is doing research. Automated threat intel enrichment does the lookup work before any human has to.

What L1 Analysts Are Actually Doing All Day (And Why It Is Not Working)

Most L1 work is not threat hunting. It is data gathering. And doing it manually at this scale was never a sustainable plan.

The Manual Enrichment Cycle That Drains Every Shift

An average SOC receives 1000+ alerts per day and up to 67% go uninvestigated. That is not because analysts are slow. It is because the starting point for every alert is zero.

• There is no context. 
• There is no story. 
• There is just a flagged IP or a suspicious hash sitting in a queue waiting for a human to figure out what it means.

Here is what that process looks like in practice:

• An alert fires in the SIEM. The analyst opens the case. 
• There is no context attached, just a raw indicator. 
• The analyst opens VirusTotal to check if the IP or hash is known to be malicious. 
• They open AbuseIPDB for abuse history. 
• They check Shodan for hosting and open port data. 
• They cross-reference against internal logs to see if the asset has any history. 
• They build a severity judgment based on whatever they pieced together from six separate tabs. 
• They either escalate or close the case and move to the next one.

The average SOC handles 1,000+ alerts daily, with only 19% worth investigating. Tier 1 analysts drown in the noise, escalating everything because they lack context.

The root problem is not volume. It is that every investigation starts from scratch.

What Threat Intel Enrichment Actually Means

Enrichment sounds like a technical term. The idea behind it is simple: turn a raw indicator into something a person can actually act on.

IOCs, Context, and Why Raw Data Is Just Noise

An Indicator of Compromise, or IOC, is any artifact that signals something malicious may have happened or is happening. The most common ones are IP addresses, file hashes, domain names, URLs, and email addresses.

A raw IOC on its own tells you almost nothing useful. A flagged IP address without context is just a number. Enrichment adds the story around it. 

• Where is the IP hosted? 
• Who owns it? 
• What campaigns has it been linked to? 
• What malware families use it? 
• How long has it been active? 
• What MITRE ATT&CK technique does it map to?

The difference between “this IP triggered an alert” and “this IP is associated with a North Korean C2 infrastructure campaign targeting financial services” is entirely a context problem. Enrichment solves that problem.

The goal is for every alert that lands in the analyst queue to already have an answer to the most basic question: does this matter, and why?

What Automated Enrichment Changes for L1 Teams

When enrichment runs automatically the moment an alert fires, L1 analysts stop being lookup machines. They become actual analysts.

Speed, Accuracy, and What Your Team Gets Back

The key difference between manual and automated enrichment is timing. Manual enrichment happens after the analyst opens the case. Automated enrichment happens the second the alert is generated.

By the time the analyst sees the alert, context is already there. The IOC has been queried across multiple sources simultaneously. A risk score has been assigned. The relevant MITRE ATT&CK technique has been mapped. Related threat actor campaigns have been pulled in. The analyst is not starting from zero. They are starting from a decision point.

AI-assisted investigations were 45% faster for cloud security alerts, cutting time from 105 minutes to 58 minutes, and 61% faster for identity and access alerts, cutting time from 78 minutes to 30 minutes, according to a 2025 Cloud Security Alliance benchmark study involving 148 SOC analysts.

68% of SOC teams have already successfully automated alert enrichment, and at least 60% of AI adopters have reduced investigation time by at least 25%, with 21% achieving reductions greater than 50%.

False positive rates also drop significantly. When enrichment scores and filters indicators before a human reviews them, low-risk alerts can be automatically closed or deprioritized without analyst involvement. That means the alerts that do reach the queue deserve to be there.

What analysts get back is real investigation time. Senior analysts stop spending shifts on lookups and start doing threat hunting. Junior analysts work at speeds that used to require years of experience, because the context they previously had to build by hand is already in front of them.

How to Build an Enrichment Pipeline That Actually Works

Not all enrichment setups deliver the same result. The difference between useful automation and more noise comes down to how the pipeline is structured.

The Building Blocks of a Reliable Enrichment Workflow

• Pin enrichment to specific IOC types. IP addresses, file hashes, domains, URLs, and CVE identifiers each need different sources and logic. Treat them separately.
• Use STIX and TAXII standards. These are the formats that make it possible for threat intelligence to move cleanly between platforms, feeds, and tools without losing structure.
• Integrate enrichment directly into your SIEM and SOAR. Enrichment that happens inside your existing workflow is enrichment that actually gets used. If analysts have to open a separate tool to see context, most of them will not.
• Apply risk scoring automatically. Analysts should not be deciding severity by intuition. A scored, ranked queue means the most urgent cases rise to the top without anyone having to manually sort through everything.
• Build in feedback loops. Enrichment quality degrades over time if no one is reviewing it. Analysts need a way to flag inaccurate or stale data so the system improves.
• Set data retention policies. Most organizations should retain routine alert data for about 90 days and incident-level data for one to two years. Stale IOCs in your pipeline create false positives.
• Secure the pipeline. Enrichment systems handle sensitive security data and need role-based access controls, encryption, and alignment with compliance frameworks like SOC 2 or ISO 27001.

Tier 1 analysts can operate at near Tier 2 levels with the support of machine-speed triage and guided decision-making when AI is ingesting raw alerts, enriching them with threat intelligence and contextual data, and assigning risk-based prioritization.

Conclusion

The 2 AM IP lookup does not go away on its own. It goes away when enrichment is built into the pipeline so the context is already there when the alert fires. L1 analysts were not hired to run lookups across five tabs every shift. They were hired to catch real threats. Automated threat intel enrichment is what finally makes that job possible at the speed and scale that modern security actually requires.

FAQs

What is threat intelligence enrichment in simple terms? 

Enrichment is what happens when you take a raw indicator like an IP address or a file hash and add context to it. Instead of just seeing a flagged IP, your team sees who owns it, what attacks it has been connected to, how urgent it is, and what to do next.

What is the difference between a threat intelligence feed and enrichment? 

A threat feed gives you raw indicators: IPs, hashes, domains. Enrichment takes those indicators and adds layers of context around them, including threat actor attribution, MITRE ATT&CK technique mapping, and risk scoring, so your team can make actual decisions with the data.

How does automated enrichment reduce alert fatigue? 

When enrichment runs automatically, low-risk and false positive alerts are filtered before they ever reach the analyst queue. The alerts that do land with a human already have a severity score and full context, so triage takes seconds instead of half an hour.

What sources does automated enrichment typically pull from? 

The most common sources are VirusTotal, Shodan, AbuseIPDB, AlienVault OTX, and threat intelligence platforms like MISP or ThreatConnect. Strong enrichment pipelines query multiple sources at the same time and normalize the results into a single, readable format.

Can a small security team actually run automated threat intel enrichment? 

Yes, and it matters more for small teams than large ones. When you have two or three analysts covering a full day, every minute spent on manual lookups is a minute not spent on real investigation. Automation brings the alert-handling capacity of a much larger team without adding headcount.