Performing IOC Enrichment Automation When to Use Use this skill when: - SOC analysts need to quickly enrich IOCs from multiple sources during alert triage - High alert volumes require automated enrichment to reduce manual lookup time - Incident investigations need comprehensive IOC context for scope assessment - SOAR playbooks require enrichment actions as part of automated triage workflows Do not use for bulk blocking decisions without analyst review — enrichment provides context, not definitive malicious/benign determination. Prerequisites - API keys: VirusTotal (free or premium), AbuseIPDB…