Business rules installed with Threat Intelligence Threat Intelligence adds the following business rules. Business rule Table Description Check for duplicates Observable [sn_ti_observable] Prevents duplicate entries in the observable table. Handle file malware detection Scan [sn_ti_scan] Deletes a scan attachment after a scan reports "failed." Hash selected file Scan [sn_ti_scan] Retrieves the hash value of a file to scan. Indicator Detection Task Observable [sn_ti_m2m_task_observable] Determines if the observables on a task indicate an indicator. Link observables label [sn_si_incident] Adds observables to the security incident based on the data in the fields of the IoC section. Malware scan Attachment [sys_attachment] Security Scan Request [sn_si_scan_request] Creates scans from security scan requests. Populate with existing IoC tables Scan [sn_ti_scan] If sn_ti.scan_ioc_before_sending is true, this business rule will check IoC tables and populate scan results based on data found in the tables. Prevent delete if scan type default Supported scan type [sn_ti_supported_scan_type] Threat Scanner [sn_ti_scanner] Prevents deletion of a scan type when it is selected as the default. Queue the scan Scan [sn_ti_scan] Inserts the scan into the scan queue. Restrict observable to supported type Observable Indicator [sn_ti_m2m_observable_indicator] Limits the observables available to related to an indicator based on their types. Set confidence Indicator Source [sn_ti_m2m_indicator_source] Sets the confidence of an indicator determined by the source. Set order to next available Supported scan type [sn_ti_supported_scan_type] Sets the order of a supported scan type to the largest available. Set scan field to attachment Scan[sn_ti_scan] Sets the scan attachment reference field to the attachment on the scan form. Trim observable value Scan [sn_ti_scan] Trims whitespace from the value of an observable. Update first seen Indicator Source [sn_si_m2m_indicator_source] Attack mode/method [sn_ti_attack_mode] Updates the first seen field. Update indicator first seen Indicator Source [sn_vul_m2m_indicator_source] Sets the first seen field on an indicator. Update last seen Indicator Source [sn_vul_m2m_indicator_source] Sets the last seen field on an indicator. Update observable Scan [sn_ti_scan] Creates or updates observable record if a scan fails. Update parent Scan [sn_ti_scan] Updates a scan’s parent with the results of a scan. Update scan name Scan [sn_ti_scan] Sets the scan name of a scan to a combination of the value of the object being scanned. Update the queue Scan [sn_ti_scan] Update a scan queue entry for a scan record when the scan’s state changes.