Submit a threat scan request with Threat Intelligence

If you suspect that websites, files, or links to IP addresses you have received might contain malware or other threats, you can create a request to scan them. Scans can also be initiated from security incidents, from the Security Incident Catalog, or in the form of forwarded emails.

Before you begin

If the Security Incident Response plugin is activated, you can submit threat scan requests using the following procedure, or you can perform the scan from the Security Incident Response module.

Role required: sn_ti.write

Procedure

  1. Navigate to Threat Intelligence > Threat Scanning > Scans.
    The Scans list shows all scans, including scans that have not yet been executed and those that are complete. Each scan includes an automatically-generated scan name that identifies the file, hash value, URL, or IP address selected for scanning.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Scans
    Field Description
    Number The auto-generated record number for this request.
    Scanner Select the third-party scanner to be used for this scan.
    Type Select the type of scan to be performed. Only scan types defined for the selected scanner will be available.
    Note: By default, the File scan type is inactive. If you want to scan a file, select Hash > Attachment to scan > Submit or click the paper clip icon in the form header and attach one or more files. If you wish to scan a file instead, see Change File scan type behavior.
    Attachment to scan Select the attachment to be scanned. This field is displayed only if File or Hash is selected in the Type field.
    Value The hash, IP address or URL to be scanned. This field appears if you selected Hash, IP, or URL in the Type field.
    Note: If you selected Hash or File in the Type field and selected an attachment to be scanned, the Value field will be read-only. When the record is saved, the Value field will be updated with the SHA-256 hash of the selected file.
    State The current state of the request.
    Time requested The date and time the request was created.
    Requested by The name of the requester.
    Status message A status message generated by the third-party scanner.
    Scan reference The URL of the third-party scanner.
    Raw response The raw results of the scan form the selected scanner. To view this field, you must personalize the form and add the Raw response field.
  4. If you want to scan files, click the paperclip icon in the form header, then locate and attach the files you want scanned.
    Note:

    Files have a 5MB size limit. If you attach a file larger than this, the scan will not run and the scan record's State field will show Error.

  5. Click Submit.
    After you have submitted the request, you can view the scan queue to determine the status of the scan request. The completed scan may appear similar to the following.
    Sample scan result
    Note: If a scan on a IP address or a hash returns malware or some other failure, the IP address or hash value is automatically added to the Observable [sn_ti_observable] table and, as such, can be searched for from the Observables form.