Enrichment Workflows

The Enrichment process is designed to enrich and maintain the enrichment of observables. This phase is fully customizable for each customer, allowing adjustments based on their specific toolset and preferred enrichment methods. It consists of vendor-specific Subflows, which can be selected or tailored per customer.

Custom Use Case Example: "Enrich - Hash-VT"

This custom built workflow example demonstrates how VirusTotal is used to enrich observables like IP addresses or file hashes. The workflow begins by querying VirusTotal for information. If a result is found, the system updates the IOC (Indicator of Compromise) based on the returned data. The enrichment includes a Python step that assigns a verdict to the IOC (e.g., Unknown, Benign, Suspicious, Malicious), depending on the details retrieved, and updates the IOC accordingly.

Subflow-Update Enrichment Data

This workflow is designed to keep enrichment data for specific observables accurate and current, supporting effective incident analysis. By automating the retrieval, processing, and updating of enrichment data, this workflow ensures that high-quality, actionable data is always available and up-to-date.

Enrichment Workflows

Custom Use Case Example: "Enrich - Hash-VT"​

Subflow-Update Enrichment Data​

Custom Use Case Example: "Enrich - Hash-VT"

Subflow-Update Enrichment Data