Observable Enrichment Lookup activity

The Observable Enrichment Lookup workflow activity initiates the observable enrichment process.

The Observable Enrichment Lookup activity can be used with any observables workflow to begin enrichment.

Results

Possible results for this activity are:

Table 1. Results
Result Description
Success The lookup is successful.
Fail An error occurred while attempting to perform the lookup. More error information is available in the activity output error.

Input variables

Input variables determine the initial behavior of the activity.

Variable Description
implementation_id System identifier of the implementation used to perform the lookup.
domain_id The domain identifier for the domain within which the lookup is being performed.
observable_ids One or more observables to perform the desired action against. The IDs are used as a workflow input.
capabilityExcutionId System identifier of the capability that launched the implementation workflow. Only required for Integration Capability implementation workflows such as Splunk, Elasticsearch.
task_sys_id System identifier for any task associated with the workflow.

Output variables

The output variables contain data that can be used in subsequent activities.

Table 2. Output variables
Variable Description
response_data Raw data returned by the implementation's API endpoint for the given domain.
mapping_id The identifier for the enrichment mapping. For example, the WhoIs integration returns data in two different format, IP and URL, with a mapping id for each.