Business rules installed with Threat Intelligence

Threat Intelligence adds the following business rules.
Business rule Table Description
Check for duplicates Observable [sn_ti_observable] Prevents duplicate entries in the observable table.
Handle file malware detection Scan [sn_ti_scan] Deletes a scan attachment after a scan reports "failed."
Hash selected file Scan [sn_ti_scan] Retrieves the hash value of a file to scan.
Indicator Detection Task Observable [sn_ti_m2m_task_observable] Determines if the observables on a task indicate an indicator.
Link observables label [sn_si_incident] Adds observables to the security incident based on the data in the fields of the IoC section.
Malware scan
  • Attachment [sys_attachment]
  • Security Scan Request [sn_si_scan_request]
Creates scans from security scan requests.
Populate with existing IoC tables Scan [sn_ti_scan] If sn_ti.scan_ioc_before_sending is true, this business rule will check IoC tables and populate scan results based on data found in the tables.
Prevent delete if scan type default
  • Supported scan type [sn_ti_supported_scan_type]
  • Threat Scanner [sn_ti_scanner]
Prevents deletion of a scan type when it is selected as the default.
Queue the scan Scan [sn_ti_scan] Inserts the scan into the scan queue.
Restrict observable to supported type Observable Indicator [sn_ti_m2m_observable_indicator] Limits the observables available to related to an indicator based on their types.
Set confidence Indicator Source [sn_ti_m2m_indicator_source] Sets the confidence of an indicator determined by the source.
Set order to next available Supported scan type [sn_ti_supported_scan_type] Sets the order of a supported scan type to the largest available.
Set scan field to attachment Scan


Sets the scan attachment reference field to the attachment on the scan form.
Trim observable value Scan [sn_ti_scan] Trims whitespace from the value of an observable.
Update first seen

Indicator Source [sn_si_m2m_indicator_source]

Attack mode/method [sn_ti_attack_mode]
Updates the first seen field.
Update indicator first seen Indicator Source [sn_vul_m2m_indicator_source] Sets the first seen field on an indicator.
Update last seen Indicator Source [sn_vul_m2m_indicator_source] Sets the last seen field on an indicator.
Update observable Scan [sn_ti_scan] Creates or updates observable record if a scan fails.
Update parent Scan [sn_ti_scan] Updates a scan’s parent with the results of a scan.
Update scan name Scan [sn_ti_scan] Sets the scan name of a scan to a combination of the value of the object being scanned.
Update the queue Scan [sn_ti_scan] Update a scan queue entry for a scan record when the scan’s state changes.