A is incorrect: Log aggregation is the process of collecting, centralizing, and indexing data from multiple sources for storage and later analysis. While a TIP does aggregate indicators from multiple feeds, the scenario emphasizes AI-driven addition of contextual metadata such as geolocation and threat actor attribution to each indicator. Log aggregation focuses on data collection and storage, not on enhancing the contextual quality of threat intelligence through enrichment.
B is incorrect: Automated signature generation involves creating detection patterns or rules that security tools use to identify known threats in network traffic. While AI can assist with rule creation, the scenario specifically describes adding contextual information like geolocation and attribution to raw indicators. Enrichment enhances the quality and context of threat intelligence, whereas signature generation focuses on creating detection logic for network security devices.
C is correct: Automated indicator enrichment is the correct answer. AI-powered indicator enrichment uses machine learning and automated data analytics to add contextual metadata to raw indicators of compromise (IOCs). By appending geolocation, threat actor attribution, and confidence ratings, AI transforms low-value raw data into enriched, actionable intelligence that analysts can quickly assess. This is a core AI use case in threat intelligence platforms, enabling faster triage and more informed decision-making without requiring manual lookups for each indicator.
D is incorrect: Response orchestration refers to the automated coordination and execution of incident response actions across multiple security tools, such as isolating compromised hosts or blocking malicious IPs. While response orchestration is an important AI-driven security capability, it focuses on taking action against identified threats rather than adding contextual metadata to raw indicators. The scenario describes enriching intelligence data with context, not automating response workflows.