The "Enrich Case with Threat Intelligence Data - ANY.RUN TI Lookup" workflow template is designed to enhance case management and threat hunting by integrating threat intelligence data into Torq Cases. This workflow automates the process of extracting observables such as IPs, URLs, hostnames, and file hashes from a case, validating their types, and enriching them with threat intelligence data from ANY.RUN. It updates each observable's reputation and threat verdict, and adds a detailed case note with a summary and a deep-link to ANY.RUN for further investigation. This streamlined approach aids analysts in making informed decisions by providing comprehensive threat intelligence insights directly within their case management system.
Use Cases
Case Management , Threat Hunting , Threat Intelligence Enrichment
Workflow Breakdown
Gets case observables and prompts the analyst to select which to enrich.
Validates that the selected observables are supported types (IPs, URLs, hostnames, file hashes); exits if none qualify.
Loops over each selected observable and invokes a nested ANY.RUN TI Lookup workflow to perform the enrichment per observable.
The nested workflow updates each observable's reputation, sets a threat verdict, and adds a case note with TI summary and a deep-link to ANY.RUN.
Collects all per-observable results into an aggregated array and exits.
Vendors
Utils, ANY.RUN, Torq Cases
Workflow Output
A case note is added with the TI summary and a deep-link back to ANY.RUN for further investigation.
