Today we’re announcing an integration with Tenzir that moves URL enrichment out of the SIEM and into the security data pipeline — where it can actually change outcomes.
Most SIEM threat enrichment strategies share the same flaw: they start after data has already landed. DNS queries, web proxy logs, network events — they flow into the SIEM first, and then something or someone looks up threat context. That sequence is backwards, slow and expensive.
This integration fixes the sequence. Our real-time threat intelligence moves into the Tenzir pipeline layer, applied to security telemetry before it reaches the SIEM. The result is events that arrive pre-classified, pre-enriched, and ready for detection — not raw logs waiting for someone to figure out if they matter.
The Problem With Post-Ingestion Enrichment
Every SOC has a version of the same bottleneck.
DNS telemetry comes in. It goes to the SIEM. At some point — maybe through a lookup block in a detection rule, maybe through a scheduled batch job, maybe through an analyst who got curious — a domain name gets queried against a threat intel feed. By that point, the moment has passed. A phishing domain that was live for three hours before the attacker rotated infrastructure has already done its work.
There are a few specific ways this plays out.
SIEM-side enrichment is selective. Most teams can’t afford to enrich every event post-ingestion — the latency and cost make it impractical. So enrichment gets reserved for events that already triggered an alert. Which means enrichment is happening after detection, not before it.
Batch updates miss the window. Threat infrastructure is fast. New phishing domains register, go active, and often get abandoned within 24-48 hours. A feed that updates daily is working with yesterday’s data during the hours when attacker infrastructure is most active. We update hourly — but that advantage disappears if the enrichment pipeline is running on a nightly schedule anyway.
Manual lookups don’t scale. When analysts have to query threat intel by hand for every suspicious event, enrichment becomes analyst work. High-volume environments can’t absorb that cost. Analysts end up triaging alerts with no context, making block/allow decisions on incomplete information.
The problem isn’t that teams lack threat intelligence. It’s that the intelligence is arriving at the wrong point in the data flow.
Threat Enrichment in Motion
Tenzir is a security data pipeline platform — programmable, OCSF-aligned, and built to sit between telemetry sources and the tools that act on data. DNS logs, network events, web proxy traffic, endpoint telemetry: Tenzir collects, normalizes, and routes it before it ever reaches the SIEM or data lake.
Our integration brings our domain & IP intelligence into that pipeline layer. Domains, URLs, hostnames, and IP addresses get queried against our threat intelligence as events flow through — not after they land somewhere. By the time a DNS event reaches the SIEM, it already carries a risk rating, content categories, and contextual threat factors. The detection system gets enriched, OCSF-aligned data instead of raw telemetry waiting on a lookup.
This isn’t batch enrichment with a shorter interval. It’s enrichment at event time, in the pipeline, before any detection decision happens.
What Changes When Intelligence Moves Upstream
Routing becomes data-driven. High-risk events — anything above a risk rating threshold the team sets — go to the SIEM and AI SOC workflows. Low-risk noise routes to the data lake for full-fidelity OCSF retention without clogging hot paths. The integration is designed to target 30-70% reduction in SIEM hot-path volume. That’s not compression through sampling or data loss — it’s signal-based routing that wasn’t possible without in-pipeline context.
Analysts start with verdicts, not questions. When a suspicious DNS event reaches the alert queue, it already shows our risk rating, the relevant classification categories (Malicious, Phishing, Newly Registered, etc.), and what infrastructure the domain shares with other known threats. The analyst doesn’t need to open threatYeti or run a manual lookup to start investigating — the context came in with the event. The lookup already happened, automatically, while data was still in motion.
SIEM ingestion costs drop. Most SIEM pricing is volume-based — every event that hits the hot path costs money, whether it’s actionable or not. When low-risk telemetry routes to the data lake instead of the SIEM, you’re not just reducing noise; you’re cutting the ingestion bill. The integration targets 30–70% reduction in SIEM hot-path volume. Full-fidelity OCSF data stays in the lake for compliance and retrospective investigation — nothing is discarded. You’re just paying to store it cheaply instead of ingesting it expensively.
A Technical Note on How This Works
The integration ships as a native Tenzir package with two distinct enrichment patterns.
The first — and most common — is feed-based context enrichment. Tenzir pulls our threat and category feeds on a scheduled basis, maps them to OCSF, and stores them in a shared lookup table that any pipeline can reference. A pipeline that publishes high-risk threats looks like this:
every 1h {
alphamountain::threat::feed license="ALPHAMOUNTAIN_LICENSE",
risk_min=8.5,
risk_max=10.0
alphamountain::ocsf::map
ocsf::derive
ocsf::cast
}
publish "ocsf"That every 1h cadence matches our own update frequency — so the lookup table is never more than an hour stale. The risk_min=8.5 parameter means only high-confidence threats enter the hot path; everything below threshold routes elsewhere. A separate pipeline pattern uses tenzir::osint::update_context to maintain the lookup table for inline enrichment, so individual DNS or web events get classified against current data as they flow through without a per-event API call.
The second pattern is per-hostname live lookup via alphamountain::intelligence::hostname — used when an event needs full aM Intelligence™ context (WHOIS, passive DNS, DGA probability, impersonation flags, shared IP infrastructure) rather than just a threat score.
In both cases, the OCSF mapping (alphamountain::ocsf::map) translates our data into OCSF class 5021 — OSINT Inventory Info. Risk scores map directly to OCSF severity: anything scoring 8.0 or above becomes severity_id=4 (Critical). Confidence scores map to OCSF confidence_id. Categories become osint.labels. The result is enriched events in a standard schema that works across SIEMs, data lakes, and AI SOC workflows without transformation at each destination.
The Proof of Value Path
The integration is designed to start small and measure impact precisely. Start with one high-value telemetry source — DNS or web proxy — and run a focused proof of value against three numbers: how much data shifts out of SIEM hot paths, how much faster analysts understand risky events, and how many repetitive manual lookups disappear.
Those metrics are directly observable. If 40% of DNS telemetry that was previously flowing into the SIEM routes to the lake instead — because it carried a low risk rating — that’s a measurable reduction in SIEM load. If analysts are starting investigations with risk ratings and categories already attached instead of blank event fields, the enrichment is working.
The same OCSF-aligned pattern that works for DNS extends to web proxy, network flow, and cloud telemetry without redesigning the pipeline architecture.
Get Started
Grab the Tenzir library for alphaMountain, then get in touch with us.
Our API is available for trial at no cost. If your team is building or evaluating a security data pipeline and want to see what in-motion enrichment looks like against real DNS or web telemetry, request API access at [email protected].
To see the underlying intelligence dataset before integration — risk ratings, categories, related hosts, DGA probability, impersonation detection across any domain or IP — try threatYeti.com for free.