Update observable with lookup result activity

The Threat Intelligence Orchestration - Update observable with lookup result workflow activity updates the observable record and logs useful information about the lookup result. If an observable record does not exist, it creates a new observable.

When triggered by the Threat Intelligence Orchestration - Run IoC Lookup workflow this activity updates an existing observable to include the new Sighting count, adds a note, and, if inactive, reactivates any indicators. The Encountered count and Last seen date in the indicator are also updated.

If no correlating observable exists, the workflow creates a new observable with an indicator and:

  • Runs the IoC lookups.
  • Creates a new observable.
  • Creates an indicator for the observable.
  • Adds a Sighting count to the observable.
  • Adds an Encountered count and Last seen date to the indicator.
  • Adds a message indicating from which lookup it was created.

Input variables

Input variables determine the initial behavior of the activity.

Table 1. Input variables
Variable Description
scanID [string] Lookup identifier

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
True Update or creation of observable is successful.
False Update or creation of observable failed.