Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / IOC Enrichment

Documentation

IOC Enrichment

Project-Agent-trust-merge / library/workflows/ioc-enrichment/README.md

Project-Agent-trust-merge repo-root library/workflows/ioc-enrichment/README.md

Enriches CrowdStrike Indicators of Compromise (IOCs) by correlating them with Splunk log data and performing VirusTotal lookups, then compiles enriched context into artifacts and posts summaries to Slack.

Maturity: L3+ (Enforced and up)  ยท  See the 5-level maturity model for where this workflow fits in your program.

Time Saved

Before: ~10 minutes per IOC manually pivoting between CrowdStrike, Splunk, and VirusTotal to build enrichment context.

After: Automated multi-source enrichment. Analysts receive pre-correlated IOC intelligence with reputation data and log hits.

Connectors

| Connector | Operations | Risk | |-----------|-----------|------| | CrowdStrike | iocs:read | LOW | | Splunk | search:execute | LOW | | VirusTotal | lookup (optional) | LOW | | Slack | chat:write | LOW |

Overall Risk: LOW -- All operations are read-only across every connector. No write-back to any security tool.

How It Works

  1. Fetch recent IOCs from CrowdStrike.
  2. For each IOC, run a Splunk correlation search to find related events.
  3. If VirusTotal is configured, look up the IOC for reputation data.
  4. Compile enrichment data and store as an artifact.
  5. Post a summary to Slack with enriched IOC details.

ARX Governance

  • Risk Classification:
  • CrowdStrike:iocs:read -- LOW -- read-only IOC indicator retrieval
  • Splunk:search:execute -- LOW -- read-only log correlation queries
  • VirusTotal:lookup -- LOW -- read-only external reputation lookup
  • Slack:chat:write -- LOW -- informational summaries only
  • HITL Gate: Disabled -- all operations are read-only. No human approval required for any step.
  • Policy Rules:
  • PERMITTED: Reading IOCs from CrowdStrike
  • PERMITTED: Running Splunk correlation searches against log data
  • PERMITTED: Performing VirusTotal reputation lookups
  • PERMITTED: Posting enrichment summaries to Slack
  • DENIED: Any write-back to CrowdStrike IOC data or detection status
  • Audit Trail: Every IOC processed, Splunk search queries executed, VirusTotal lookups performed, and enrichment artifacts generated are logged with timestamps and IOC identifiers.
  • Config: See arx.yaml for connector permissions, schedule, and correlation search templates.

Setup

Prerequisites

``bash pip install arx ``

Environment Variables

```bash export CS_CLIENT_ID="your-crowdstrike-client-id" export CS_CLIENT_SECRET="your-crowdstrike-client-secret" export SPLUNK_URL="https://splunk.your-org.com:8089" export SPLUNK_TOKEN="your-splunk-bearer-token"

Optional

export VIRUSTOTAL_API_KEY="your-virustotal-api-key" export SLACK_BOT_TOKEN="xoxb-your-slack-token" export SLACK_THREAT_CHANNEL="#threat-intel" ```

Run

```bash

One-time execution

arx run workflow.py

Register on schedule (every 30 minutes)

arx register --config arx.yaml ```

Customization

  • Customize Splunk correlation search templates for your log schema
  • Enable or disable VirusTotal integration via config flag
  • Adjust IOC age filter to control lookback window