Detailed Explanation of Subflow 3 - Enrich Observables
The Subflow 3 - Enrich Observables workflow systematically parses, manages, and stores observables from incoming alerts, such as IP addresses, email addresses, and domains. It transforms raw data into clean, usable information for downstream actions like deduplication, enrichment, or threat analysis. As part of the “On New Table Record - Process Alert” workflow, it feeds enriched observables into Subflow 2.2 - Check for Case Duplicates to determine whether to create or update a case. This ensures accurate, reliable data for effective case management and threat analysis.
The Subflow 3 - Enrich Observables is a key part of the “On New Table Record - Process Alert” automated workflow, enhancing the quality of observables extracted from incoming alerts. After Subflow 1 - Extract Observables pulls relevant data points (e.g., IP addresses, email addresses, file hashes) from the raw alert payload, this subflow processes them further. It normalizes observables, such as converting text to lowercase for consistency, and applies a predefined template to extract specific patterns like URLs or email addresses, ensuring the observables are ready for tasks like deduplication and analysis.
IP Address: 192.168.1.1
and File Hash: SHA256: abc123...
.After extraction, the observables are filtered to remove any duplicates, ensuring that only unique data remains. This enriched and filtered list of observables is then stored in a database and made ready for further steps like deduplication, case creation, or threat analysis.