The "Retrieve and Normalize Data on a File Hash" workflow template is designed for threat intelligence enrichment by analyzing file hashes. It receives a file hash from a parent workflow or trigger, then queries multiple threat intelligence sources like VirusTotal, Recorded Future, and others. The workflow aggregates and deduplicates MITRE ATT&CK TTPs, providing detailed findings and a normalized threat score. This enables organizations to enhance their threat detection and response capabilities by leveraging comprehensive threat data.
Optional Triggers
["Webhook","Slack","Microsoft Teams"]
Use Cases
Threat Intelligence Enrichment
Workflow Breakdown
Receive a file hash as an event from a parent workflow or other trigger
Loop through the threat intelligence sources that are set to true/enabled
Aggregate information that is provided from each source
Collects and deduplicate MITRE Att&ck TTPs
Provide detailed findings and normalized score on the exit of the workflow
Vendors
Utils, VirusTotal, AlienVault OTX, Recorded Future, Intezer Analyze, Pangea
Workflow Output
Detailed findings of the threat data for the hash
Tips
Enable the threat sources by setting the source to true in the step "Threat Intel Sources to Use"
Use the workflow as a nested workflow to simplify threat lookups for hashes
Use TTPs list to create a MITRE Att&ck Layer