07/14/2026 | Press release | Distributed by Public on 07/14/2026 14:07
Dynatrace Security Enrichment gives security teams one place to connect commercial, open source, and proprietary threat intelligence (TI) sources and use them to enrich IP addresses across Dynatrace Investigations, Threats & Exploits, and Workflows. Instead of building and maintaining a separate connector for each TI provider, you configure an HTTP-based connection, normalize the response, and reuse that context across the platform. This can support faster triage and more consistent decisions, and reduce integration overhead, for teams that rely on both third-party feeds and internal intelligence.
Architectural scheme of Security EnrichmentHow can you distinguish between yet another false positive and a real threat when the context your team needs resides in a different tool for each investigation?
Threat intelligence sources rarely live in one place. Your team might rely on commercial feeds for reputation data, open sources for additional signal, and internal services for the context that matters most to your business. An internal IP reputation database or customer-IP registry can be just as important as any external feed.
That fragmentation slows down every investigation. Analysts move between browser tabs, scripts, and disconnected tools just to answer basic questions about an IP address. Each source returns a different response pattern, which makes it harder to apply consistent triage logic across teams and workflows. The more enrichment sources you depend on, the more operational overhead you create.
At the same time, security teams are under pressure to automate triage without losing control. That means you need flexible enrichment that can keep up with new providers, internal intelligence, and changing workflows without forcing you to build a new connector every time.
Dynatrace Security Enrichment gives you a flexible, native way to connect to any HTTP-based threat intelligence API and use its results directly in the Dynatrace Platform. This includes commercial services, open source feeds, and proprietary internal APIs.
Pre-configured templates for popular providers like AbuseIPDB and VirusTotal handle the setup for you. Add your API key, and the enrichment configuration is set.
Select your enrichment source. Security Enrichment connection settingsWhether it's a niche commercial provider, an OSINT platform like MISP, or your team's own internal reputation service - if it has an HTTP API that returns JSON, you can connect it. No coding, no custom integration development. Just point, configure, and go.
Custom mapping viewEach security intelligence source vendor returns different field names, different scoring models, and different response structures. Dynatrace Security Enrichment normalizes all of this - using the same query language your team already knows from Dynatrace - into a unified view with consistent reputation levels, geolocation data, recency indicators, and source references. Triage logic and automation that works for one source works for every source you add afterward.
Example of a workflow with enrichment includedThis is where Security Enrichment changes the operational model - not just the tooling.
Consider a team that maintains its own internal IP reputation database, built from years of telemetry and asset context that no external vendor can provide. Today, when an analyst encounters a suspicious IP during an investigation, they open a separate tool, query that database manually, and paste the result back into their case notes. Multiply that by every investigation, every analyst, and every day.
With Security Enrichment, that internal system becomes a native enrichment source. The analyst selects an IP in their investigation and sees the internal reputation score right alongside commercial intelligence and geolocation - in one consistent view that persists as case evidence. No context switching, no manual lookups, no data siloed in a browser tab.
The same connection also powers automated workflows. Teams use the enrichment action in Dynatrace Workflows to build automated triage patterns like:
Because enrichment, detections, investigations, and automation all live on one platform, your team can run these patterns without sending alerts to a separate orchestrator, without maintaining duplicate configurations, and without the drift that comes from stitching together tools that weren't designed to work together.
We're evolving Security Enrichment to cover a broader set of observables relevant to investigations. We're also exploring ways to make integrations more adaptable based on user needs. Over time, we aim to further incorporate threat intelligence to inform investigations and support more proactive detection.
You can get started with Security Enrichment directly from the Dynatrace Hub and create your first connections in just a few clicks.
If you're already using the standalone AbuseIPDB or VirusTotal apps, matching blueprints are available to help streamline the transition. With those standalone apps removed in June 2026, now is a good time to see what other threat intelligence you can incorporate.