The Threat Intelligence Orchestration - Update observable with lookup
result workflow activity updates the observable record. If one does not exist, it
creates a new observable. This activity is useful for logging information.
When triggered by a workflow Update observable with lookup
result updates an existing observable to include the new Sighting
count, adds a note, and, if inactive, reactivates any indicators. The
Encountered count and Last seen date in the
indicator are also updated.
If no correlating observable exists, the workflow creates
a new observable with indicator as follows:
- Runs the IoC lookups
- Creates a new observable
- Creates an indicator for the observable
- Adds a Sighting count to the observable
- Adds an Encountered count and Last seen
date to the indicator
- Adds a message indicating from which lookup it was created
Input variables determine the initial behavior of the activity.
Table 5. Input variables
The output variables contain data that can be used in subsequent activities.
Table 6. Output variables
||Update or creation of observable is successful.
||Update or creation of observable failed.