Skip to main content

Workflow Template: Enrich Case with Threat Intelligence Data - ANY.RUN TI Lookup

Look up case observables (IPs, URLs, hostnames, hashes) in ANY.RUN TI and enrich the Torq Case with verdicts and reputation.

The "Enrich Case with Threat Intelligence Data - ANY.RUN TI Lookup" workflow template is designed to enhance case management and threat intelligence enrichment processes. It automates the extraction and analysis of observables such as IPs, URLs, hostnames, and file hashes from a case, using ANY.RUN's Threat Intelligence database. By validating and enriching these observables, the workflow provides updated threat verdicts and reputations, adding valuable insights and context to cases. This facilitates more informed decision-making in threat hunting and incident response activities.

Take Me to the Template

Use Cases

Case Management , Threat Hunting , Threat Intelligence Enrichment

Workflow Breakdown

  1. Gets case observables and prompts the analyst to select which to enrich.

  2. Validates that the selected observables are supported types (IPs, URLs, hostnames, file hashes); exits if none qualify.

  3. Loops over each selected observable and invokes a nested ANY.RUN TI Lookup workflow to perform the enrichment per observable.

  4. The nested workflow updates each observable's reputation, sets a threat verdict, and adds a case note with TI summary and a deep-link to ANY.RUN.

  5. Collects all per-observable results into an aggregated array and exits.

Vendors

Utils, ANY.RUN, Torq Cases

Workflow Output

A case note is added with the TI summary and a deep-link back to ANY.RUN for further investigation.

Related Articles
Workflow Template: Open a TheHive case triggered by SentinelOne findings
Workflow Template: Extract Multiple Observables
Workflow Template: Recorded Future - IoC Enrichment
Workflow Template: Enrich Case with File Analysis in ANY.RUN Sandbox
Workflow Template: Enrich Case with URL Analysis in ANY.RUN Sandbox
Did this answer your question?