The "Enrich Case with Threat Intelligence Data - ANY.RUN TI Lookup" workflow template is designed to enhance incident response by integrating threat intelligence into case management. It automates the process of extracting observables such as IPs, URLs, hostnames, and file hashes from a case, validating them, and enriching them with threat intelligence data from ANY.RUN. This workflow updates each observable's reputation and threat verdict, and adds a detailed case note with a summary and a deep-link to ANY.RUN for further investigation. This enables security analysts to make informed decisions quickly, improving threat hunting and case management efficiency.
Use Cases
Case Management , Threat Hunting , Threat Intelligence Enrichment
Workflow Breakdown
Gets case observables and prompts the analyst to select which to enrich.
Validates that the selected observables are supported types (IPs, URLs, hostnames, file hashes); exits if none qualify.
Loops over each selected observable and invokes a nested ANY.RUN TI Lookup workflow to perform the enrichment per observable.
The nested workflow updates each observable's reputation, sets a threat verdict, and adds a case note with TI summary and a deep-link to ANY.RUN.
Collects all per-observable results into an aggregated array and exits.
Vendors
Utils, ANY.RUN, Torq Cases
Workflow Output
A case note is added with the TI summary and a deep-link back to ANY.RUN for further investigation.