Configure Threat Intelligence Enrichment

threat intelligence enrichment is handled by the ai soc enrich observables component, which is used in various playbooks throughout the solution how enrichment works the ai soc enrich observables component automatically enriches observables when signals are created uses the ti providers configured in the ai soc threat intelligence configuration asset respects the ignore lists and observable type filters you configured aggregates results from multiple providers based on configured weights configure enrichment components the enrichment component uses individual provider components for each ti source enrich virustotal enrich observable (vic) enrich recorded future enrich observable (vic) enrich abuseipdb enrich observable (vic) enrich urlhaus enrich observables (vic) enrich ipqualityscore enrich observable (vic) these components are already configured in the ai soc enrich observables component you typically do not need to modify them unless you're adding custom providers provider configuration ensure each ti provider asset is configured with valid api keys/credentials verify provider names in the ai soc threat intelligence configuration asset match the component names exactly adjust provider weights if you want to prioritize certain sources test enrichment create a test signal with observables (ip, domain, url, or hash) verify enrichment runs automatically (check the signal's threat intelligence reference field) open the threat intelligence application to view detailed enrichment results verify aggregated verdicts and risk scores are calculated correctly based on your thresholds