Skip to main content
All CollectionsTemplatesBasic
Retrieve and Normalize data on a File Hash - Workflow Template
Retrieve and Normalize data on a File Hash - Workflow Template

Workflow to lookup threat intelligence data from a number of sources and aggregate threat data, normalize a score for the provided file hash

Updated over 7 months ago

This Torq workflow template, "Retrieve and Normalize data on a File Hash," is designed to process file hashes received from parent workflows or other triggers. It facilitates the collection of threat intelligence from enabled sources such as VirusTotal, Recorded Future, AlienVault OTX, and others. By looping through each threat source, the workflow aggregates findings, deduplicates MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures), and calculates a normalized score to assess the threat level associated with the file hash. The workflow outputs comprehensive threat data, which can be critical for organizations to quickly identify potential threats and take appropriate action.

Optional Triggers

Webhook,"Slack Microsoft Teams"

Use Cases

Threat Intelligence Enrichment

Workflow Breakdown

  1. Receive a file hash as an event from a parent workflow or other trigger

  2. Loop through the threat intelligence sources that are set to true/enabled

  3. Aggregate information that is provided from each source

  4. Collects and deduplicate MITRE Att&ck TTPs

  5. Provide detailed findings and normalized score on the exit of the workflow

Vendors

Utils, VirusTotal, AlienVault OTX, Recorded Future, Intezer Analyze, Pangea

Workflow Output

Detailed findings of the threat data for the hash

Tips

Enable the threat sources by setting the source to true in the step \"Threat Intel Sources to Use\"","Use the workflow as a nested workflow to simplify threat lookups for hashes","Use TTPs list to create a MITRE Att&ck Layer

Did this answer your question?