Use Threat Check in a SOAR playbook

New
  • Published on Oct 14, 2025
  • 2 minute(s) read
Prev Next

Silent Push’s Threat Check service provides a fast, API-driven way to verify if a domain or IP address appears in the Indicators of Fraudulent Activity (IOFA) feed. This article demonstrates how to automate Threat Check inside a SOAR workflow,  specifically using Cortex XSOAR,  to enrich alerts and take automated response actions.

Prerequisites

  • Silent Push Enterprise subscription

  • Threat Check API key

  • Working Cortex XSOAR environment

  • Outbound HTTPS access to https://api.threatcheck.silentpush.com/v1/

Playbook objectives

  • Enrich incoming alerts with Threat Check data

  • Automatically escalate or block indicators found on the IOFA feed

  • Document enrichment results in the case

Workflow summary

  1. An alert is ingested that contains IPs or domains.

  2. Extract indicators from alert data.

  3. For each indicator, call the Silent Push Threat Check API.

  4. Evaluate the response:

    • is_listed = true > treat as high-risk.

    • is_listed - false > mark as low-risk.

  5. Take action: escalate, block, or tag accordingly.

  6. Log results and close the playbook.

Example playbook flow

Step

Description

Example command

1

Extract observables

ExtractIndicatorsFromAlert

2

For each observable, call Threat Check

silent push-threat-check

3

Evaluate response

is_listed == true

4

Take action

Block IP/escalate/notify

5

Log and summarize results

AddCaseNote

YAML snippet example

name: "SilentPush_ThreatCheck_Enrich"
tasks:
  - id: 1
    name: Extract Observables
    script: ExtractIndicatorsFromAlert
    output: indicators_list

  - id: 2
    name: Loop Through Indicators
    for: indicator in indicators_list
    tasks:
      - id: 2.1
        name: Threat Check
        integration: SilentPush
        command: silentpush-threat-check
        inputs:
          t: ${indicator.type}
          q: ${indicator.value}
        outputs: threatcheck_result

      - id: 2.2
        name: Evaluate Result
        script: |
          if ${threatcheck_result.is_listed} == true:
            return "HighRisk"
          else:
            return "LowRisk"

      - id: 2.3
        name: High Risk Actions
        condition: "HighRisk"
        tasks:
          - AddTag: "IOFA_Listed"
          - BlockIndicator: ${indicator.value}
          - Notify: "SOC_Team"

      - id: 2.4
        name: Low Risk Actions
        condition: "LowRisk"
        tasks:
          - AddTag: "Not_IOFA"

  - id: 3
    name: Summarize & Report
    script: AddCaseNote(summary = threatcheck_result)

Example output

Successful Threat Check API response

{
  "query": "203.0.113.5",
  "is_listed": true,
  "listed_txt": "This IP is on the IOFA feed."
}

The playbook will tag this indicator as High Risk and execute the associated response actions.

Troubleshooting

  • Ensure you use the Threat Check API key, not the general Silent Push API key.

  • Confirm that api.threatcheck.silentpush.com is reachable from your SOAR environment.

  • Implement retry or rate-limiting mechanisms for handling large indicator sets.