Skip to main content

Workflow Template: Enrich File Hash with VirusTotal via Observable Enrichment Data

Enrich Hash with VirusTotal using observables enrichment data as a cache

The "Enrich File Hash with VirusTotal via Observable Enrichment Data" workflow template is designed for efficient threat intelligence management in case management and threat hunting scenarios. It optimizes the use of VirusTotal by caching enrichment data for file hashes, reducing redundant API calls. If cached data is outdated or unavailable, it queries VirusTotal, converts the data into an OCSF-compliant format, and updates or creates observables with the latest enrichment data, ensuring up-to-date threat intelligence.

Take Me to the Template

Optional Triggers

["This workflow is intended to be used as a nested workflow."]

Use Cases

Case Management , Threat Hunting

Workflow Breakdown

  1. Enrich Hash with VirusTotal using observables enrichment data as a cache

  2. If enrichment exists and is within TTL, return cached result

  3. Otherwise query VirusTotal for the hash report

  4. Build an OCSF compliant enrichment

  5. Update or create the observable with the enrichment data

Vendors

Utils, VirusTotal, Torq Cases

Workflow Output

Hash Enrichment Converted into an OCSF-Compliant Form

Related Articles
Workflow Template: Enrich New Cybereason MalOps File Hash Detail
Workflow Template: VirusTotal File Hash Enrichment with Cache
Workflow Template: Submit a File for Analysis to VirusTotal with Cache
Workflow Template: VirusTotal Combined Observable Enrichment
Workflow Template: Enrich Case with Threat Intelligence Data - ANY.RUN TI Lookup
Did this answer your question?