Practice
Contact
All engagementsEngagement note

Alert enrichment automation

Replaced manual triage steps with an idempotent pipeline. Typed contracts between SIEM, enrichment, and analyst UI.

  • Managed security platform
  • Automation
  • 9 weeks
Duration9 weeks
Team1 senior engineer + the client's security engineering lead
HandoverDetection engineering, on-call rotation included
Disciplines
  • Automation
  • Typed IO
  • SIEM integration
  • Analyst UI
Decide

Best fit when.

  • 01You have a SIEM (or equivalent) that must stay authoritative, with enrichments attached rather than mirrored.
  • 02Enrichment sources have inconsistent latency and reliability; the surface must show provenance and freshness.
  • 03Analysts need to see what came from where; an opaque enriched view will not be adopted.
Context

What was happening.

Analysts were doing the same enrichment work — domain reputation, asset ownership, recent change history — by hand on every alert. The cost was not the per-alert minutes; it was the cognitive load that reduced the number of alerts a single analyst could meaningfully review per shift.

Constraints

What we were holding to.

  • The SIEM was the source of truth; the pipeline could not become a parallel store of alert state.
  • Enrichment sources had wildly different latency and reliability profiles.
  • Analysts did not want a black box; the enriched view had to show what came from where.
Approach

How we built it.

Idempotent enrichment, attached not duplicated

Enrichments were computed and attached back to the SIEM record, never stored as a parallel alert. Every enrichment job was idempotent; replays produced the same attached payload.

Typed IO between SIEM, enrichment, and UI

Each enrichment source spoke a typed contract to the pipeline. The analyst UI consumed the same typed payload. A failing enrichment showed up as a typed null, not a missing field — the analyst always knew which source was unavailable.

Source provenance in the analyst surface

The analyst view showed every enrichment with its source and freshness. Where data conflicted, the conflict was shown rather than resolved silently. Trust came from visibility, not from confident UI.

Handover

What we left with the client.

  • Idempotent enrichment pipeline, deployed to the client's tenant.
  • Typed contracts at the SIEM, enrichment, and UI boundaries.
  • Provenance-aware analyst surface with explicit freshness signals.
  • On-call dashboards and alert routes wired into detection engineering's existing rotation.