Threat Intelligence - Run IoC Lookup workflow The Threat Intelligence - Run IoC Lookup workflow can populate a lookup with an observable, perform an IoC lookup, update an observable with results, and more. This workflow helps you log information and accelerates the investigation and remediation process. Before you beginNote: This workflow replaces Threat Intelligence Orchestration business rules Populate with existing IoC tables, Queue the lookup, and Update observable with activities. If a lookup is inserted or updated and meets the conditions, the Lookup business rule triggers this workflow. Role required: sn_si.basic About this task The Threat Intelligence - Run IoC Lookup workflow checks for an unexpired observable and, if found, sets the lookup to Complete and updates it with the data from the observable. Any indicators associated with the observable are reactivated. If the observable is expired, the workflow runs the lookups and increments the Sighting count in the existing, expired observable. If no correlating observable exists, a new observable with indicator is created. Workflow process activities include: Populate lookup with observable activity Perform IoC Lookup activity Wait for lookup (core activity) Update observable with lookup result activity Populate lookup with observable activityThe Threat Intelligence Orchestration - Populate lookup with observable workflow activity accelerates the investigation and remediation process by supplying data from an existing observable to a lookup when an unexpired observable is found. process.Perform IoC Lookup activityThe Threat Intelligence Orchestration - Perform IoC Lookup workflow activity accelerates the investigation and remediation process by performing a specific IoC lookup. .Update observable with lookup result activityThe Threat Intelligence Orchestration - Update observable with lookup result workflow activity updates the observable record and logs useful information about the lookup result. If an observable record does not exist, it creates a new observable. Run Default IoC Lookup Sources activityThe Threat Intelligence Orchestration - Run Default IoC Lookup Sources activity takes in a lookup request ID and creates multiple lookups depending on the entered data values.