Threat Intelligence Uploads Workflow Ideas

we receive threat intel in the form of a csv, and I would like to

  1. reverse the sanitization (evil[.]com)
  2. validate the URL is indeed bad (virustotal, etc)
  3. search logs for visitors to those sites
  4. remediate actions

on 1. I have some regex that should work for de-sanitization

but what do you all think?