Perform threat enrichment on observables

You can perform threat intelligence enrichment on one or more observables to determine whether they are associated with known security threats. The implementations that run depend on the ones you have activated.

Before you begin

Before you can perform enrichment, you must activate the Threat Intelligence plugin. You must also install the plugin for one or more of the enrichment implementations:

Role required: sn_ti.admin


  1. Navigate to Threat Intelligence > IoC Repository > Observables.
  2. Do one of the following steps:
    • To enrich more than one observable, select the observables you want to enrich, click Actions on selected rows, and select Run observable enrichment.
    • To enrich a single observable, open the observable record, and click the Run observable enrichment related link.
    Run observable enrichment slushbucket
  3. Select the enrichment implementations you want to use, or select All to perform enrichment using all of the active implementations, then click Submit.
    A message indicates that the observable enrichment lookups have begun. The Security Operations Integration - Enrich Observable workflow runs and also executes the implementation workflows for the observable enrichment implementations you selected. The lookups are performed and the results are generated.
  4. When the enrichment is completed, you can click the Observable Enrichment tab to view the results.
    Observable enrichment
  5. To see additional details, including raw results for a specific enrichment, click the value in the Summary column.
    Observable enrichment result