Properties installed with Threat Intelligence

Properties

Threat Intelligence adds the following properties.
Table 1. Properties for Threat Intelligence
Property Description
VirusTotal API Key

sn_ti.virustotal.api_key

The API key to use when using VirusTotal for scans. For security reasons, the entry will be masked as you enter it.
  • Type: String
  • Default value: none
  • Location: Threat Intelligence > Administration > Properties
The domain name to retrieve additional information for IP addresses/URLs

sn_ti.ip_lookup.web_site

The domain name to use for retrieving additional information into your IoC database. This property is used by the ThreatAdditionalInfo script include to populate additional information on the Observables form.
  • Type: String
  • Default value: http://api.ipinfodb.com/v3/ip-country/
  • Location: Threat Intelligence > Administration > Properties
Note: The pinfodb.com third-party API is free and used in many commercial software programs. If you replace it with a different domain name, you must also provide the API key in the next field.
The API key to be used for the above domain, if any

sn_ti.ip_lookup.api_key

The API key to use for retrieving additional information into your IoC database. This property is used (along with the previous property) by the ThreatAdditionalInfo script include to populate additional information on the Observables form.
  • Type: String
  • Default value: none
  • Location: Threat Intelligence > Administration > Properties
Scan local IoC tables before sending to remote scanner

sn_ti.scan_ioc_before_sending

If set to True, the Observables table is checked against the scan request for a matching value. If a match is found (that is, the same IP address, URL, or hash file value exists), the scan result will be populated from information in the Observables table. This will prevent unneeded scans. In the scan request, the State field will be set to Complete, the Result field will be set to Failed, and the Internally populated field will be set to True.

If a matching value or attachment is not found in the Observables table, the scan proceeds normally.

  • Type: Yes | No
  • Default value: Yes
  • Location: Threat Intelligence > Administration > Properties
Number of days local Observables are considered

sn_ti.scan_ioc_num_days

If the Scan local IoC tables before sending to remote scanner property is set to True, observables that were updated in the past number of days specified in this property will be compared with the value in the scan.

If a match is found within the specified number of days, or if an attachment in the scan exists in an IoC observable, the scan will not be performed, the State field will be set to Complete, and the Result field will be set to Failed.

If a matching value or attachment is not found in the Observables table, the scan proceeds normally.

  • Type: integer
  • Default value: 30
  • Location: Threat Intelligence > Administration > Properties
When an attack mode/method has not been received from any source for the specified number of days, mark it as inactive

sn_ti.attack_mode_inactivate_days

Number of days from when an attack mode/method was last received for the record to be marked inactive.

  • Type: integer
  • Default value: 360
  • Location: Threat Intelligence > Administration > Properties
Note: The Active check box is not visible on the Attack mode/method form by default; however, you can add it. When attack modes/methods are inactive, they cannot be selected on other forms.
When an indicator has not been received from any source for the specified number of days, mark it as inactive

sn_ti.indicator_inactivate_days

Number of days from when an indicator was last received for the record to be marked inactive.

  • Type: integer
  • Default value: 180
  • Location: Threat Intelligence > Administration > Properties
Note: The Active check box is not visible on the Indicator form by default; however, you can add it. When indicators are inactive, they cannot be selected on other forms.
For file scan requests from scan requests, scan only their hash values.

sn_ti.scan.use_file_hash

If set to True, and a file is specified for scanning through a scan request, the file hash value is scanned instead.
  • Type: Yes | No
  • Default value: Yes
  • Location: This property does not appear on the Threat Intelligence Properties screen by default. If you need to change its value, type sys_properties.list in the navigation filter, press Enter, locate the property, and change its value.
For threat hash scans, delete an attachment after it has been hashed.

sn_ti.scan.delete_attachment_after_hash

If set to True, the attachment from a scan or scan request will be deleted after it has been hashed.
  • Type: Yes | No
  • Default value: Yes
  • Location: This property does not appear on the Threat Intelligence Properties screen by default. If you need to change its value, type sys_properties.list in the navigation filter, press Enter, locate the property, and change its value.
For threat file scans, delete an attachment if malware was detected.

sn_ti.scan.delete_attachment_on_detection

If set to True, a file is attached to a scan or scan request, and a file scan returns a failed result, the attachment will be deleted from the hash scan.
  • Type: Yes | No
  • Default value: Yes
  • Location: This property does not appear on the Threat Intelligence Properties screen by default. If you need to change its value, type sys_properties.list in the navigation filter, press Enter, locate the property, and change its value.