Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Business rules installed with Threat Intelligence

Log in to subscribe to topics and get notified when content changes.

Business rules installed with Threat Intelligence

Threat Intelligence adds the following business rules.
Business rule Table Description
Check for duplicates Observable [sn_ti_observable] Prevents duplicate entries in the observable table.
Handle file malware detection Scan [sn_ti_scan] Deletes a scan attachment after a scan reports "failed."
Hash selected file Scan [sn_ti_scan] Retrieves the hash value of a file to scan.
Indicator Detection Task Observable [sn_ti_m2m_task_observable] Determines if the observables on a task indicate an indicator.
Link observables label [sn_si_incident] Adds observables to the security incident based on the data in the fields of the IoC section.
Malware scan
  • Attachment [sys_attachment]
  • Security Scan Request [sn_si_scan_request]
Creates scans from security scan requests.
Populate with existing IoC tables Scan [sn_ti_scan] If sn_ti.scan_ioc_before_sending is true, this business rule will check IoC tables and populate scan results based on data found in the tables.
Prevent delete if scan type default
  • Supported scan type [sn_ti_supported_scan_type]
  • Threat Scanner [sn_ti_scanner]
Prevents deletion of a scan type when it is selected as the default.
Queue the scan Scan [sn_ti_scan] Inserts the scan into the scan queue.
Restrict observable to supported type Observable Indicator [sn_ti_m2m_observable_indicator] Limits the observables available to related to an indicator based on their types.
Set confidence Indicator Source [sn_ti_m2m_indicator_source] Sets the confidence of an indicator determined by the source.
Set order to next available Supported scan type [sn_ti_supported_scan_type] Sets the order of a supported scan type to the largest available.
Set scan field to attachment Scan

[sn_ti_scan]

Sets the scan attachment reference field to the attachment on the scan form.
Trim observable value Scan [sn_ti_scan] Trims whitespace from the value of an observable.
Update first seen

Indicator Source [sn_si_m2m_indicator_source]

Attack mode/method [sn_ti_attack_mode]
Updates the first seen field.
Update indicator first seen Indicator Source [sn_vul_m2m_indicator_source] Sets the first seen field on an indicator.
Update last seen Indicator Source [sn_vul_m2m_indicator_source] Sets the last seen field on an indicator.
Update observable Scan [sn_ti_scan] Creates or updates observable record if a scan fails.
Update parent Scan [sn_ti_scan] Updates a scan’s parent with the results of a scan.
Update scan name Scan [sn_ti_scan] Sets the scan name of a scan to a combination of the value of the object being scanned.
Update the queue Scan [sn_ti_scan] Update a scan queue entry for a scan record when the scan’s state changes.
Feedback