There is a specific moment in any security investigation when context changes everything. The analyst is looking at an alert. The raw data tells them that a process executed a network connection to an external IP. Unremarkable. Thousands of processes make network connections every minute.
Now add context. The process is running from a non-standard parent process that has no historical precedent on this system. The external IP appeared in a threat intelligence feed 48 hours ago associated with command-and-control infrastructure. The system it is running on is a production server classified as business-critical. The user account associated with the session has not previously accessed this system type. The behavioral baseline for this system shows no similar events in the prior 90 days.
Same event. An automated cyber threat intelligence enrichment layer is the difference between a routine process network connection and a high-confidence early indicator of post-exploitation activity.
Building the enrichment pipeline is not a feature decision. It is an infrastructure decision. And at production scale — petabyte-scale ingestion from hundreds of enterprise environments, dozens of context sources that need to stay current, enrichment that must run fast enough to not bottleneck ingestion — it is demanding engineering.True data-plane modernization requires mapping four specific contexts continuously:
Every event referencing an asset needs current attributes: criticality classification, owner, environment, control coverage status, vulnerability posture. The "current" is important — an asset's criticality changes when it gets promoted to production. The enrichment must query an asset inventory that reflects the actual current state, updated continuously from the same telemetry sources the enrichment itself depends on.
Every event referencing a user identity needs current role, privilege classification, department, and historical anomaly indicators. Continuously reconciled against authoritative sources — HR systems, identity providers — not maintained as a static reference table.
Events containing observables — IPs, domains, hashes, URLs — need current intelligence verdicts. Current means within the staleness threshold of the intelligence source, which varies by feed type and may be hours rather than days.
Events can be enriched with statistical context from the entity's own behavioral history — how anomalous is this relative to what this entity normally does? This requires maintaining behavioral baseline models and querying them at ingestion speed.
We built all of this into the Resolution Intelligence Cloud on Google SecOps and BigQuery — the only infrastructure we evaluated that provided the performance characteristics to support enrichment at this scale without introducing unacceptable ingestion latency.
The return on the investment is visible across every downstream analytical layer. Analysts see decision-relevant information automatically. ML models train and infer on consistently enriched inputs and perform proportionally better. Detection rules operating on enriched data are simpler, more maintainable, and more reliable.
Build the enrichment once. Every analysis benefits continuously. That is the right investment calculus.
Tired of looking at uncontextualized alerts while critical cyber threat intelligence sits isolated in siloed feeds? Deploy a Netenrich Agentic SOC in 30 Days to natively operationalize your threat data, enrich telemetry at ingestion speed, and stop machine-speed attacks.
*Part of my ongoing series on data science and the future of security operations.*