Skip to main content

Enrich Malware Behavior From Sandbox Feeds

Analyst question: What runtime behavior supports IOC-to-TTP or malware-to-TTP mapping?

When To Use This

Use this workflow when you need a repeatable, evidence-aware way to move from raw intelligence to structured CTI output inside AdversaryGraph.

Workflow

  1. Sync sandbox behavior sources.
  2. Connect behavior artifacts to malware families or indicators.
  3. Review observed behaviors and extracted signals.
  4. Map behavior to ATT&CK techniques where supported.
  5. Use behavior evidence in analyst review.

Expected Output

Runtime behavior evidence supporting malware and technique mapping.

Quality Checks

  • Validate every technique against the source evidence.
  • Treat similarity and enrichment as analytical signals, not final conclusions.
  • Mark weak mappings as needs-evidence or rejected instead of forcing them into the final layer.
  • Export only reviewed data when using results for customer, SOC, or detection engineering handoff.
  • AI Analysis
  • ATT&CK Navigator
  • ATT&CK Group Library
  • IOC Library
  • Reference Sync
  • Report export