Module 4 Assignment: Threat intelligence and enrichment

Contents

Module 4 Assignment: Threat intelligence and enrichment#

Scenario#

You are advising a security operations center tuning AI-assisted detections before analyst rollout. The stakeholders are: SOC analyst, detection engineer, incident commander, and business system owner.

Task#

Answer the module question: How does external intelligence improve detection?

Use the module lab and course readings to produce: detection engineering packet with threat model, false-positive analysis, and triage workflow focused on threat intelligence and enrichment: Design an enrichment workflow..

Required Evidence#

Define the decision or system boundary in one paragraph.
Identify the dataset, proxy data, or evidence source you used: synthetic security telemetry with login velocity, data transfer volume, process rarity, and threat labels.
Compare at least two alternatives, baselines, policies, or designs.
Report one quantitative result or structured scoring table.
Explain two failure modes and one mitigation for each.
State what additional evidence would be required before real deployment.

Submission#

Submit the completed notebook plus a 900-1200 word memo. The memo must include clear headings for context, method, evidence, risks, recommendation, and open questions.

# Assignment workspace for Module 4: Threat intelligence and enrichment
module = 4
decision = "How does external intelligence improve detection?"
artifact = "detection engineering packet with threat model, false-positive analysis, and triage workflow focused on threat intelligence and enrichment: Design an enrichment workflow."

alternatives = [
    {"option": "baseline_or_manual_process", "strength": "", "risk": "", "evidence": ""},
    {"option": "ai_assisted_or_advanced_option", "strength": "", "risk": "", "evidence": ""},
]

recommendation = {
    "decision": decision,
    "recommended_option": "",
    "minimum_evidence_before_pilot": [],
    "monitoring_metric": "",
    "rollback_trigger": "",
}

{"module": module, "artifact": artifact, "alternatives": alternatives, "recommendation": recommendation}

{'module': 4,
 'artifact': 'detection engineering packet with threat model, false-positive analysis, and triage workflow focused on threat intelligence and enrichment: Design an enrichment workflow.',
 'alternatives': [{'option': 'baseline_or_manual_process',
   'strength': '',
   'risk': '',
   'evidence': ''},
  {'option': 'ai_assisted_or_advanced_option',
   'strength': '',
   'risk': '',
   'evidence': ''}],
 'recommendation': {'decision': 'How does external intelligence improve detection?',
  'recommended_option': '',
  'minimum_evidence_before_pilot': [],
  'monitoring_metric': '',
  'rollback_trigger': ''}}

Acceptance Criteria#

Your submission is complete only if another reviewer can reproduce your reasoning from the evidence you provide. You do not need production-grade data, but you must be explicit about proxy-data limits and what would change with real institutional data.