Business rules installed with Threat Intelligence

Threat Intelligence adds the following business rules.
Business rule Table Description
Check for duplicates Observable


Prevents duplicate entries in the observable table.
Handle file malware detection Lookup


Deletes a lookup attachment after a lookup reports "failed."
Hash selected file Lookup


Retrieves the hash value of a file to look up.
Indicator Detection Task Observable


Determines if the observables on a task indicates an indicator.
IoC Lookup Attachment


Security Scan Request


Creates lookups from security lookup requests.


Triggers the Threat Intelligence - Run Lookup workflow when a lookup object is inserted or updated and meets the condition specified in the IoC Lookup business rule.
Link observables label


Adds observables to the security incident based on the data in the fields of the IoC section.
Notify Lookup Finished Lookup


Sends an email notification to a lookup requester when the lookup has completed. The notification includes the names of the lookup sources, lookup numbers, number of threats found, and lookup engines that detected threats. If multiple lookups are performed as a group, the notification is not sent until all lookups are completed.
Parse JSON from notes Indicator


Detects and parses valid JSON key/value pairs in the Indicator of Compromise Notes field and displays them in the Indicators of Compromise Metadata related list.
Prevent delete if lookup type default Supported Lookup Type


Lookup Source


Prevents deletion of a lookup type when it is selected as the default.
Prevent Removing Indicator Types Associated Indicator Types


Prevents the deletion of indicator types that would result in data integrity issues, if deleted.
Reactive IoC when observable found Observable


Reactivates an observable when it is inactive and recently found.
Restrict observable to supported type Observable Indicator


Limits the observables available to an indicator based on their types.
Roll up threat to SI Lookup


When a threat is found during a lookup, a workflow launches that rolls up the lookup summary report to the originating security incident as a work note.
Set confidence Indicator Source


Sets the confidence of an indicator determined by the source.
Set lookup field to attachment Lookup


Sets the lookup attachment reference field to the attachment on the lookup form.
Set order to next available Supported lookup type


Sets the order of a supported lookup type to the largest available.
Trigger Workflows Lookup


Triggers Threat Intelligence workflows when conditions are met.
Trim observable value Lookup


Trims white space from the value of an observable.
Update first seen Indicator Source


Attack mode/method


Updates the first seen field.
Update indicator first seen Indicator Source


Sets the first seen field on an indicator.
Update last seen Indicator Source


Sets the last seen field on an indicator.
Update lookup name Lookup


Sets the lookup name of a lookup to a combination of the value of the object being scanned.
Update parent Lookup


Updates a lookup parent with the results of a lookup.
Update the queue Lookup


Update a lookup queue entry for a lookup record when the lookup state changes.