Skip to main content
All CollectionsTemplatesBasic
Retrieve and Normalize data on an IP Address - Workflow Template
Retrieve and Normalize data on an IP Address - Workflow Template

Workflow to lookup threat intelligence data from a number of sources and aggregate geo data, threat data and normalize a score for the IP

Updated over a week ago

This Torq workflow template assists organizations in streamlining threat intelligence processes by ingesting an IP address event and retrieving normalized data from various threat intel sources. The workflow efficiently loops through enabled sources, aggregates findings, and deduplicates MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures), providing a comprehensive and normalized score for the IP upon completion. This valuable tool is optimal for enhancing incident response and ensuring thorough threat intelligence enrichment.

Take Me to the Template

Optional Triggers

Webhook,Slack

Use Cases

Threat Intelligence Enrichment

Workflow Breakdown

  1. Receive an IP as an event from a parent workflow or other trigger

  2. Loop through the threat intel sources that are set to true/enabled

  3. Aggregate information that is found on each source

  4. Collects and deduplicate MITRE Att&ck TTPs

  5. Provide detailed findings and normalized score on the exit of the workflow

Vendors

Utils, VirusTotal, AbuseIPDB, AlienVault OTX, Recorded Future, Pangea

Workflow Output

Detailed findings of the threat data for the IP

Tips

Enable the threat sources by setting the source to true in the step \"Threat Intel Sources to Use\"","Use the workflow as a nested workflow to simplify threat lookups for IPs

Related Articles
Retrieve and Normalize data on a Domain - Workflow Template
Retrieve and Normalize data on a File Hash - Workflow Template
AlienVault Domain Enrichment with Cache - Workflow Template
Pangea - IP Address Enrichment with Cache - Workflow Template
Shodan - IP Address Enrichment with Cache - Workflow Template
Did this answer your question?