Skip to main content
All CollectionsTemplatesBasic
Extract Multiple Observables - Workflow Template
Extract Multiple Observables - Workflow Template

Extracts different types of observables such as File Hashes, IP Addresses, Email Addresses, Filenames, Hostnames, URLs, and CVEs.

Updated over 6 months ago

This workflow template, "Extract Multiple Observables," is designed for threat hunting and threat intelligence enrichment by extracting and grouping various types of observables from raw text input. It applies multiple regex patterns to identify observables such as file hashes, IP addresses, emails, hostnames, URLs, and CVEs, verifying Top-Level Domains (TLDs) against the IANA's official list. The results can be output in a consolidated group by type and subtype or in a detailed, expanded list suitable for integration into Torq Cases.

Take Me to the Template

Optional Triggers

"This workflow is intended to be used as a nested function."

Use Cases

Function, Threat Hunting , Threat Intelligence Enrichment

Workflow Breakdown

  1. Receives Raw Text as input

  2. Applies multiple Regex to a single text, extracts and groups the results.

  3. Verifies TLDs against IANA TLD official list.

  4. Identify Observable types and subtypes as used in Torq Cases.

Vendors

Scripting

Workflow Output

List of observables sorted or grouped, by type and subtype.

Tips

Set Group Output to True to consolidate all observables or set it to False for a detailed, expanded output

Related Articles
Recorded Future - IoC Enrichment - Workflow Template
AlienVault Combined Observable Enrichment - Workflow Template
Search Observables by Grouped UDM Fields in Chronicle - Workflow Template
VirusTotal Combined Observable Enrichment - Workflow Template
Recorded Future Sandbox - URL Analysis with Cache - Workflow Template
Did this answer your question?