The Subflow 3 - Enrich Observables workflow systematically parses, manages, and stores observables from incoming alerts, such as IP addresses, email addresses, and domains. It transforms raw data into clean, usable information for downstream actions like deduplication, enrichment, or threat analysis. As part of the “On New Table Record - Process Alert” workflow, it feeds enriched observables into Subflow 2.2 - Check for Case Duplicates to determine whether to create or update a case. This ensures accurate, reliable data for effective case management and threat analysis.

How It Works:

The Subflow 3 - Enrich Observables is a key part of the “On New Table Record - Process Alert” automated workflow, enhancing the quality of observables extracted from incoming alerts. After Subflow 1 - Extract Observables pulls relevant data points (e.g., IP addresses, email addresses, file hashes) from the raw alert payload, this subflow processes them further. It normalizes observables, such as converting text to lowercase for consistency, and applies a predefined template to extract specific patterns like URLs or email addresses, ensuring the observables are ready for tasks like deduplication and analysis.

Example of Extracted Observables:

  • Alert Data: The alert contains the observable IP Address: 192.168.1.1 and File Hash: SHA256: abc123....
  • Enrichment Process: The subflow normalizes these observables and stores them in the database. It also checks for duplicates and ensures that only unique and actionable observables are retained. Any redundant data is removed before it is passed on to the next step in the workflow.

After extraction, the observables are filtered to remove any duplicates, ensuring that only unique data remains. This enriched and filtered list of observables is then stored in a database and made ready for further steps like deduplication, case creation, or threat analysis.