v9.0

The Enrichment process is designed to enrich and maintain the enrichment of observables. This phase is fully customizable for each customer, allowing adjustments based on their specific toolset and preferred enrichment methods. It consists of vendor-specific Subflows, which can be selected or tailored per customer.

Note: This workflow is provided as a basic skeleton template and is designed to be fully customizable to suit your specific needs. Customization of the workflow will be required to align it with your exact requirements, and any adjustments made to the workflow will be the responsibility of the user.

Custom Use Case Example: “Enrich - Hash-VT”

This custom built workflow example demonstrates how VirusTotal is used to enrich observables like file hashes. The workflow begins by querying VirusTotal for information from the alert payload. If a result is found, the system updates the IOC (Indicator of Compromise) based on the returned data. The enrichment includes a Python step that assigns a verdict to the IOC (e.g., Unknown, Benign, Suspicious, Malicious), depending on the details retrieved, and updates the IOC accordingly.

Subflow-Update Enrichment Data

This workflow is designed to keep enrichment data for specific observables accurate and current, supporting effective incident analysis. By automating the retrieval, processing, and updating of enrichment data, this workflow ensures that high-quality, actionable data is always available and up-to-date.