This Torq workflow template, "Retrieve and Normalize data on a File Hash," is designed to process file hashes received from parent workflows or other triggers. It facilitates the collection of threat intelligence from enabled sources such as VirusTotal, Recorded Future, AlienVault OTX, and others. By looping through each threat source, the workflow aggregates findings, deduplicates MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures), and calculates a normalized score to assess the threat level associated with the file hash. The workflow outputs comprehensive threat data, which can be critical for organizations to quickly identify potential threats and take appropriate action.
Optional Triggers
Webhook,"Slack Microsoft Teams"
Use Cases
Threat Intelligence Enrichment
Workflow Breakdown
Receive a file hash as an event from a parent workflow or other trigger
Loop through the threat intelligence sources that are set to true/enabled
Aggregate information that is provided from each source
Collects and deduplicate MITRE Att&ck TTPs
Provide detailed findings and normalized score on the exit of the workflow
Vendors
Utils, VirusTotal, AlienVault OTX, Recorded Future, Intezer Analyze, Pangea
Workflow Output
Detailed findings of the threat data for the hash
Tips
Enable the threat sources by setting the source to true in the step \"Threat Intel Sources to Use\"","Use the workflow as a nested workflow to simplify threat lookups for hashes","Use TTPs list to create a MITRE Att&ck Layer