SIEM Alert Enrichment
Playbook
A repeatable five-step workflow for enriching SIEM alerts with threat intelligence context and making consistent, defensible triage decisions. Structured around the NIST SP 800-61r3 Incident Response lifecycle and aligned to MITRE ATT&CK v18 tactic tagging conventions.
Why This Playbook Exists
The 2026 Unit 42 Global Incident Response Report documents that attackers move from initial access to data exfiltration in under one hour in the fastest observed incidents — a 4x speed increase over the prior year. In the fastest individual cases, the window compressed to 72 minutes. Identity-based techniques drove initial access in 65% of investigated incidents, and 87% of attacks unfolded across multiple attack surfaces simultaneously.
Security teams operating at human speed — manually looking up indicators, making inconsistent triage decisions, and relying on outdated playbooks — are structurally mismatched against this threat environment. This playbook defines a machine-assisted, five-step enrichment pipeline that compresses analyst decision time from minutes to seconds and ensures every alert receives consistent, evidence-based triage regardless of analyst experience level.
This playbook is original technical writing produced as a portfolio sample demonstrating SOC documentation structure, depth, and communication style. All content is sourced from publicly available NIST SP 800-61r3, MITRE ATT&CK v18, and Unit 42 published research. No proprietary data is reproduced.
Before You Begin
| Requirement | Description | Notes |
|---|---|---|
| Threat Intel API Access | Valid API key with at minimum Standard tier access (60 requests/min, 100 IOCs/bulk) | Store in environment variable TI_API_KEY — never hardcode |
| SIEM Integration | Alert webhook or polling configured to deliver normalized alert fields to enrichment pipeline | Compatible with Cortex XSIAM, Cortex XSOAR, Splunk, Microsoft Sentinel |
| SOAR Playbook Runner | Automation platform capable of executing API calls, applying decision logic, and writing results back to SIEM cases | Cortex XSOAR recommended; adaptable to any SOAR supporting REST API integrations |
| ATT&CK Navigator | Access to MITRE ATT&CK Navigator for technique overlay and coverage visualization | Available free at mitre-attack.github.io/attack-navigator |
| Escalation Path Defined | Analyst notification contacts and escalation thresholds configured before deployment | See Escalation Matrix section below |
Five-Step IOC Triage Pipeline
Execute these steps in sequence for every SIEM alert containing extractable indicators. Steps 01 through 03 are fully automatable. Steps 04 and 05 involve analyst judgment informed by enriched data.
Extract from: source IP, destination IP, domain, URL, file hash (MD5, SHA1, SHA256), email sender, and any embedded URLs in email body fields. Log all extracted IOCs to the case record before submitting — this creates the audit trail required for post-incident review.
POST /indicators/bulk. Batching minimizes API latency and
preserves rate limit quota — one call per alert, not one call per indicator.Maximum 500 indicators per request on Professional tier. If a single alert generates more than 500 extractable indicators, split into sequential batches maintaining alert association metadata. Unknown indicators return
classification: "unknown" with confidence: 0 — never
omitted — ensuring your pipeline always receives a result for every submitted
indicator and preventing silent failures in downstream automation.
Apply thresholds per-indicator, not per-alert — a single alert may contain indicators at different confidence levels. Promote the alert's overall severity to match the highest-confidence malicious indicator found. Log all results regardless of threshold for audit trail and retrospective threat hunting purposes.
attack_techniques array from enrichment results to tag the
SIEM alert with ATT&CK tactic and technique IDs. Tag format:
ATT&CK:T1071.001 · ATT&CK:TA0011.Tactic tagging enables cross-alert behavioral correlation — two alerts with different specific IOC values but the same ATT&CK tactic mapping may represent the same adversary campaign. Knowing a hash belongs to a tool used during Persistence changes how it is triaged and blocked. Tactics turn data into decisions. Use ATT&CK Navigator to overlay technique coverage and identify blind spots in detection rules relative to the specific adversary behaviors observed in this alert.
Trigger immediate analyst notification if: severity is
critical or high AND confidence is 85 or above.
Use the escalation matrix below to determine notification channel and
response time objective. Close the loop — update the case with analyst
disposition after review so enrichment quality data can be used to
improve threshold calibration over time.
Enrichment Workflow Summary Table
| Step | Action | Tool / Method | ATT&CK Alignment | Output |
|---|---|---|---|---|
| 01 | Extract IOCs from Alert Parse SIEM alert fields for IPs, domains, hashes, and URLs. Normalize formats before querying. |
SIEM parsing rules Cortex XSOAR automation |
All tactics — pre-enrichment | Normalized IOC list |
| 02 | Bulk IOC Lookup Batch all IOCs from a single alert into one API call. Max 500 per request. |
POST /indicators/bulk Threat Intel API |
T1071 · T1041 · T1566 | Enriched IOC records |
| 03 | Apply Confidence Threshold Filter by confidence score. Auto-escalate at 90+. Monitor at 50–74. Suppress below 50. |
Threshold table (below) SOAR decision logic |
All — reduces false positives | Prioritized alert queue |
| 04 | Map to MITRE ATT&CK Tag alert with tactic and technique IDs from attack_techniques array. Enables behavioral correlation. |
attack_techniques array ATT&CK Navigator overlay |
Tactic-based detection MITRE v18, Oct 2025 |
Tagged, correlated alert |
| 05 | Update Case & Notify Write enriched context to SIEM case. If severity critical/high and confidence ≥85, notify analyst immediately. |
SIEM case management Cortex XSIAM · Splunk |
Responds to all phases | Enriched case record |
Confidence Threshold Reference
Apply thresholds per-indicator. A threshold of 75 or above is recommended for automated escalation to reduce false positive alert fatigue in high-volume SOC environments. All results should be logged regardless of threshold for audit and retrospective threat hunting purposes.
| Confidence Range | Classification | Recommended Action | SLA |
|---|---|---|---|
| 90 – 100 | High confidence — malicious | Auto-escalate to analyst. Block at perimeter if policy permits. Open priority case. | Immediate — 15 min |
| 75 – 89 | Likely malicious | Flag for priority analyst review. Do not auto-block. Correlate with additional signals. | 30 minutes |
| 50 – 74 | Suspicious — low confidence | Log and monitor. Add to threat hunting queue. Revisit if correlated with other indicators. | 4 hours |
| 0 – 49 | Unknown or benign | Log only. Do not auto-escalate. Retain for retrospective analysis. | Next business day |
IOC Normalization Guide
Normalize all indicators before submission. Malformed or inconsistently formatted
indicators will return 400 Bad Request or incorrect results.
| Type | API Value | Correct Format | Common Errors to Strip |
|---|---|---|---|
| IP Address | ip |
198.51.100.42 |
Port numbers (:8080), brackets ([198.51.100.42]), CIDR notation (/32) |
| Domain | domain |
malicious-c2.example.com |
Defang brackets ([.]→.), protocol prefix (https://), trailing slashes, subpaths |
| URL | url |
https://malicious.example.com/payload |
URL encoding artifacts, fragment identifiers (#section), tracking parameters |
| File Hash | hash |
SHA256: 64 hex chars MD5: 32 hex chars |
Mixed case (lowercase preferred), spaces, colons, 0x prefix |
| Email Address | email |
sender@malicious.example.com |
Display name wrapping ("Name" <email>), brackets, angle characters |
Escalation Matrix
Define escalation paths before deploying this playbook. Populate the table below with your organization's specific contacts and channels.
| Severity + Confidence | Escalation Tier | Notification Channel | Response Time Objective | Disposition Required |
|---|---|---|---|---|
| Critical · Confidence 90+ | Tier 2 Analyst + SOC Lead | PagerDuty / Phone | 15 minutes | Yes — within 1 hour |
| High · Confidence 85+ | Tier 2 Analyst | Slack / Email | 30 minutes | Yes — within 4 hours |
| High · Confidence 75–84 | Tier 1 Analyst | SIEM Queue | 1 hour | Yes — within 8 hours |
| Medium · Any Confidence | Tier 1 Analyst | SIEM Queue | 4 hours | Same business day |
| Low / Unknown · Any | Automated — Log Only | SIEM Log | Next business day review | Batch review weekly |
Citations & References
All technical content is sourced from publicly available standards documentation and research. No proprietary data is reproduced.
- [1]NIST SP 800-61r3 — Computer Security Incident Handling Guide · National Institute of Standards and Technology · csrc.nist.gov
- [2]MITRE ATT&CK Enterprise Matrix v18 — October 2025 · attack.mitre.org
- [3]Unit 42 2026 Global Incident Response Report — Palo Alto Networks · unit42.paloaltonetworks.com · February 2026
- [4]Cortex XSOAR Unit 42 Threat Intelligence Integration Pack v1.0.15 — March 2026 · cortex.marketplace.pan.dev
- [5]IETF RFC 7807 — Problem Details for HTTP APIs · tools.ietf.org/html/rfc7807
- [6]TNGlobal — From Data to Decisions: Threat Intelligence in SOC Operations · March 2026