This workflow template extracts and enriches indicators of compromise (IoCs) from raw text data for threat intelligence purposes. It identifies observables within the text, such as file hashes, IP addresses, domains, and URLs, and uses Recorded Future to perform an enrichment analysis on each observable, increasing the context and understanding of potential threats. Ideal for incident response teams, the workflow enhances analytical capabilities by providing enriched IoC data in a structured output for improved identification and analysis of security threats.
Optional Triggers
"This workflow is intended to be used as a nested workflow."
Use Cases
Function, Threat Intelligence Enrichment
Workflow Breakdown
Receives raw text and input and extracts multiple observables from it.
Check if extracted observables contains file hashes, ip addressess, domains, or URLs.
For each extracted observables, query Recorded Future for enrichment.
Vendors
Scripting, Utils, Recorded Future, Torq
Workflow Output
A list of analysis results. Each item can contain the original analysis data and a summary.
Tips
Set \"Provide Raw Data Analysis\" to true or false to add or remove original vendor information to the output