Lab 14 – Automated Enrichment & Scripting

This lab introduces automation for threat‑hunting and alert enrichment. You’ll build scripts that query threat‑intel APIs, enrich SIEM alerts with context, and automate repetitive investigation steps.

• Outcome 1: Build enrichment scripts using PowerShell or Python.
• Outcome 2: Query OTX, AbuseIPDB, and DNS APIs automatically.
• Outcome 3: Integrate enrichment into SIEM workflows.
• Outcome 4: Document automated investigation steps.

• DL14.1: Enrichment script created (PowerShell or Python).
• DL14.2: API queries to OTX, AbuseIPDB, DNS resolvers.
• DL14.3: SIEM automation rule configured.
• DL14.4: Enriched alerts validated.
• DL14.5: Documentation updated with workflow and code.

1. Create a PowerShell or Python script.
2. Add functions to query:
   • OTX API
   • AbuseIPDB API
   • DNS resolver (e.g., Cloudflare 1.1.1.1)
3. Parse results and return:
   • Reputation score
   • Threat categories
   • Pulse or report links

1. Configure your SIEM to run the script when:
   • A new alert is created
   • An IP or domain is extracted
2. Store enrichment results in:
   • Custom fields
   • Tags
   • Notes

1. Create an automation rule that:
   • Extracts indicators
   • Runs enrichment
   • Updates alert severity based on reputation
2. Test with known malicious IPs.

1. Document:
   • Script logic
   • API endpoints
   • Automation triggers
   • Enrichment fields
2. Validate enriched alerts in SIEM dashboards.

• Automation: How scripts reduce manual investigation time.
• Enrichment: How external context improves alert fidelity.
• Workflow: How automated steps accelerate triage.

With automated enrichment in place, you’re ready to build structured response playbooks in Week 15.