The Enrich Observable capability allows you to enrich observables with additional information from a variety of sources using implementation flows. This capability is used during incident response investigations to contain an identified threat.

The Enrich Observable capability has a flow, Security Operations Integration - Enrich Observable flow. When the capability flow runs, it executes additional flows for the activated implementations. You can specify an implementation to use to perform enrichment on the selected observables, or you can perform the enrichment using all implementations that match the supported observable types.

Note: If no implementations are available, capability actions are not displayed in product menus.