This workflow automates URL threat intelligence analysis by utilizing Recorded Future Sandbox in conjunction with local caching to optimize performance. When a URL is submitted, it checks if the reputation data is already stored in the cache from the past 24 hours to avoid unnecessary re-analysis. If the data is not cached, the URL is sent for a fresh analysis, and the resultant summary, which includes Mitre TTPs, malware family, and observable's type and subtype, is stored in the local cache for future reference. This workflow streamlines the threat intelligence enrichment process and ensures efficient use of resources with the caching mechanism.
Optional Triggers
"This workflows is intended to be used as a function."
Use Cases
Function, Threat Intelligence Enrichment
Workflow Breakdown
Receives an URL from a parent workflow.
Lookup global variables to see if the hash reputation has been saved in the past 24 hours.
If analysis data is found on local cache, the saved data is returned to the parent workflow.
When the URL is not found on cache and there are no previous analysis, then the URL is submitted to analysis.
A summary of the analysis data is created and saved with the original api data.
Vendors
Utils, Torq, Recorded Future Sandbox
Workflow Output
Output information contains Mitre TTPs Summary, malware family and observable's type and subtype as used in Torq Cases.
Tips
Set \"Provide Raw Data Analysis\" to true or false to add or remove original vendor information to the output