This Torq workflow template assists organizations in streamlining threat intelligence processes by ingesting an IP address event and retrieving normalized data from various threat intel sources. The workflow efficiently loops through enabled sources, aggregates findings, and deduplicates MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures), providing a comprehensive and normalized score for the IP upon completion. This valuable tool is optimal for enhancing incident response and ensuring thorough threat intelligence enrichment.
Optional Triggers
Webhook,Slack
Use Cases
Threat Intelligence Enrichment
Workflow Breakdown
Receive an IP as an event from a parent workflow or other trigger
Loop through the threat intel sources that are set to true/enabled
Aggregate information that is found on each source
Collects and deduplicate MITRE Att&ck TTPs
Provide detailed findings and normalized score on the exit of the workflow
Vendors
Utils, VirusTotal, AbuseIPDB, AlienVault OTX, Recorded Future, Pangea
Workflow Output
Detailed findings of the threat data for the IP
Tips
Enable the threat sources by setting the source to true in the step \"Threat Intel Sources to Use\"","Use the workflow as a nested workflow to simplify threat lookups for IPs