In my last article I built a SOC pipeline that caught real hackers in 3 minutes. This time I'm adding automated threat intelligence enrichment — so every alert now tells me exactly who the attacker is before a human even looks at it. The Problem With Raw Alerts After my first article, my pipeline was working well. Real attackers were hitting the honeypot, Wazuh was firing level 15 alerts, Shuffle was processing them, and TheHive was creating cases. But there was a gap. Every case in TheHive looked like this: Alert: SSH Brute Force on Honeypot Attacker IP: 110.35.80.116 Agent: honeypot Level: 15 Enter fullscreen mode Exit fullscreen mode That's useful. But it's not enough. An IP address alone doesn't tell you: Is this a known malicious actor? Is this a botnet, a VPN, or a targeted attacker? Has this IP been reported attacking other people? What country is it from? How dangerous is it — 1 engine flagged it or 80? Without that context, every alert looks the same. You can't prioritise.…