Threat Intelligence - Run IoC Lookup workflow

The Threat Intelligence - Run IoC Lookup workflow can populate a lookup with an observable, perform an IoC lookup, update an observable with results, and more. This workflow helps you log information and accelerates the investigation and remediation process.

Before you begin

Note: This workflow replaces Threat Intelligence Orchestration business rules Populate with existing IoC tables, Queue the lookup, and Update observable with activities.

If a lookup is inserted or updated and meets the conditions, the Lookup business rule triggers this workflow.

Role required: sn_si.basic

About this task

The Threat Intelligence - Run IoC Lookup workflow checks for an unexpired observable and, if found, sets the lookup to Complete and updates it with the data from the observable. Any indicators associated with the observable are reactivated.

If the observable is expired, the workflow runs the lookups and increments the Sighting count in the existing, expired observable.

If no correlating observable exists, a new observable with indicator is created.

Threat Intelligence - Run IoC Lookup workflow diagram