IOC Enrichment Workflows
The IOC Enrichment process is designed to enrich and maintain the enrichment of observables. This phase is fully customizable for each customer, allowing adjustments based on their specific toolset and preferred enrichment methods. It consists of vendor-specific Subflows, which can be selected or tailored per customer, and two main workflows that perform similar functions but operate at different intervals and on distinct observables.
Both the Main - Daily - Enrichment Maintenance and Main - New Enrichment workflows follow the same core logic, with a slight variation in the filtering applied in the initial steps. Both workflows operate through three loops, handling Users, Devices, and IOCs. For IOCs, a Select Case step is used to determine the appropriate enrichment Subflow based on the IOC type. For Users and Devices, the relevant Subflow is triggered for each item individually. Each loop is equipped with error handling through Try-Catch mechanisms.
Main - New Enrichment
This workflow is designed to identify observables that have not yet been enriched and perform the necessary enrichment tasks. It systematically processes each observable, ensuring that the correct subflows are triggered based on the type of observable (Users, Devices, or IOCs).
Main - Daily - Enrichment Maintenance
The "Main - Daily - Enrichment Maintenance" workflow performs two key queries: one to retrieve all open cases and another to gather cases that were closed within the past 7 days. Following this, a Python script is used to compile and aggregate the observables from these cases, producing a consolidated list of unique observables across all cases.
Custom Use Case Example: "Enrich - Hash via VirusTotal Workflow"
This custom workflow example demonstrates how VirusTotal is used to enrich observables like IP addresses or file hashes. The workflow begins by querying VirusTotal for information. If a result is found, the system updates the IOC (Indicator of Compromise) based on the returned data. The enrichment includes a Python step that assigns a verdict to the IOC (e.g., Unknown, Benign, Suspicious, Malicious), depending on the details retrieved, and updates the IOC accordingly.