Business rules installed with Threat Intelligence

Threat Intelligence adds the following business rules.
Business rule Table Description
Check for duplicates Observable

[sn_ti_observable]

Prevents duplicate entries in the observable table.
Handle file malware detection Lookup

[sn_ti_scan]

Deletes a lookup attachment after a lookup reports "failed."
Hash selected file Lookup

[sn_ti_scan]

Retrieves the hash value of a file to look up.
Indicator Detection Task Observable

[sn_ti_m2m_task_observable]

Determines if the observables on a task indicates an indicator.
IoC Lookup Attachment

[sys_attachment]

Security Scan Request

[sn_si_scan_request]

Creates lookups from security lookup requests.
Lookup

[sn_ti_scan]

Triggers the Threat Intelligence - Run Lookup workflow when a lookup object is inserted or updated and meets the condition specified in the IoC Lookup business rule.
Link observables label

[sn_si_incident]

Adds observables to the security incident based on the data in the fields of the IoC section.
Notify Lookup Finished Lookup

[sn_ti_scan]

Sends an email notification to a lookup requester when the lookup has completed. The notification includes the names of the lookup sources, lookup numbers, number of threats found, and lookup engines that detected threats. If multiple lookups are performed as a group, the notification is not sent until all lookups are completed.
Parse JSON from notes Indicator

[sn_ti_indicator]

Detects and parses valid JSON key/value pairs in the Indicator of Compromise Notes field and displays them in the Indicators of Compromise Metadata related list.
Prevent delete if lookup type default Supported Lookup Type

[sn_ti_supported_scan_type]

Lookup Source

[sn_ti_scanner]

Prevents deletion of a lookup type when it is selected as the default.
Prevent Removing Indicator Types Associated Indicator Types

[sn_ti_m2m_indicator_indicator_type]

Prevents the deletion of indicator types that would result in data integrity issues, if deleted.
Reactive IoC when observable found Observable

[sn_ti_observable]

Reactivates an observable when it is inactive and recently found.
Restrict observable to supported type Observable Indicator

[sn_ti_m2m_observable_indicator]

Limits the observables available to an indicator based on their types.
Roll up threat to SI Lookup

[sn_ti_scan]

When a threat is found during a lookup, a workflow launches that rolls up the lookup summary report to the originating security incident as a work note.
Set confidence Indicator Source

[sn_ti_m2m_indicator_source]

Sets the confidence of an indicator determined by the source.
Set lookup field to attachment Lookup

[sn_ti_scan]

Sets the lookup attachment reference field to the attachment on the lookup form.
Set order to next available Supported lookup type

[sn_ti_supported_scan_type]

Sets the order of a supported lookup type to the largest available.
Trigger Workflows Lookup

[sn_ti_scan]

Triggers Threat Intelligence workflows when conditions are met.
Trim observable value Lookup

[sn_ti_scan]

Trims white space from the value of an observable.
Update first seen Indicator Source

[sn_si_m2m_indicator_source]

Attack mode/method

[sn_ti_attack_mode]

Updates the first seen field.
Update indicator first seen Indicator Source

[sn_vul_m2m_indicator_source]

Sets the first seen field on an indicator.
Update last seen Indicator Source

[sn_vul_m2m_indicator_source]

Sets the last seen field on an indicator.
Update lookup name Lookup

[sn_ti_scan]

Sets the lookup name of a lookup to a combination of the value of the object being scanned.
Update parent Lookup

[sn_ti_scan]

Updates a lookup parent with the results of a lookup.
Update the queue Lookup

[sn_ti_scan]

Update a lookup queue entry for a lookup record when the lookup state changes.