Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Tables installed with Threat Intelligence

Log in to subscribe to topics and get notified when content changes.

Tables installed with Threat Intelligence

Threat Intelligence adds the following tables.
Table Description
Attack mechanism

[sn_ti_attack_mechanism]

Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system.
Attack mode/method

[sn_ti_attack_mode]

Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail.
Discovery method

[sn_ti_discovery_method]

An expression of how an incident was discovered.
Feed

[sn_ti_feed]

Used for configuring the Threat Feed (RSS) in the Threat Overview.
Indicator Attack mode/method

[sn_ti_m2m_indicator_attack_mode]

Used to map attack modes/methods to indicators.
Indicator of Compromise

[sn_ti_indicator]

Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.
Indicator of Compromise Metadata

[sn_ti_indicator_metadata]

Indicator Source

[sn_ti_m2m_indicator_source]

Used to collect all the sources reporting the specific indicator.
Indicator Type

[sn_ti_indicator_type]

Used to characterize a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it is acted on, and so on.
Associated Indicator Type

[sn_ti_m2m_indicator_indicator_type]

Links indicators with their applicable types.
Intended effect

[sn_ti_intended_effect]

Used for expressing the intended effect of a threat actor.
IP Scan Result

[sn_ti_ip_result]

Used to show the results of an IP lookup.
Malware Rate limit

[sn_ti_rate_limit]

Defines a rate limit to be used on a lookup source.
Malware Scan

[sn_ti_scan]

A lookup. Contains what to look up, with what lookup source, and a summary of the lookup results.
Malware Scanner

[sn_ti_scanner]

Defines third-party lookup sources to use in performing lookups.
Malware Scanner Rate Limit

[sn_ti_scanner_rate_limit]

Associates a lookup source with a rate limit.
Malware Scan Queue Entry

[sn_ti_scan_q_entry]

A lookup record queued for lookup or processing. Facilitates the requests within stated rate limits.
Malware Scan Result

[sn_ti_scan_result]

Displays the result of a lookup.
Malware Type

[sn_ti_malware_type]

Used for expressing the types of malware instances.
Observable

[sn_ti_observable]

Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks.
Observable Indicator

[sn_ti_m2m_observable_indicator]

Used to relate observables to indicators.
Observable Source

[sn_ti_observable_source]

Used to relate observables to threat sources.
Observable Type

[sn_ti_observable_type]

Lists the various types of observables, such as IP addresses.
Related attack mode/method

[sn_ti_m2m_attack_mode_attack_mode]

Used to relate attack modes to each other.
Related Observables

[sn_ti_m2m_observables]

Used to relate observables to each other.
Scan type

[sn_ti_scan_type]

The definition of a lookup type, with initial records for File, URL, and IP.
Supported Observable Types

[sn_ti_m2m_ind_type_obs_type]

Relates indicator types to valid observable types.
Supported Scan Type

[sn_ti_supported_scan_type]

Maps the lookup type to a lookup source/vendor-specific implementation. Indicates that a specific lookup source supports the type.
Task Attack mode/method

[sn_ti_m2m_task_attack_mode]

Relates attack modes to tasks.
Task Indicator

[sn_ti_m2m_task_indicator]

Relates indicators to tasks.
Task Observable

[sn_ti_m2m_task_observable]

Relates observables to tasks.
TAXII Collection

[sn_ti_taxii_collection]

Defines a cyber-risk intelligence feed that can be imported by a TAXII server.
TAXII Profile

[sn_ti_taxii_profile]

Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections.
Threat Actor type

[sn_ti_threat_actor_type]

Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior.
Threat Intelligence Source

[sn_ti_source]

Defines a source for importing threat data.
The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Threat Intelligence, adds the following tables.
Table Description
Rate limit

[sn_cmn_rate_limit]

Defines a rate limit to be used on a lookup source or scanner.
Scan

[sn_sec_cmn_scan]

A threat lookup or vulnerability scan. Contains what to look up or scan, with what lookup source or scanner, and a summary of the results.
Scanner

[sn_sec_cmn_scanner]

Defines third-party lookup source or scanners to use in lookups or scans.
Scan Queue Entry

[sn_cmn_scan_q_entry]

A threat lookup or vulnerability scan record queued for lookup, scan, or processing. Facilitates the requests within stated rate limits.
Scanner Rate Limit

[sn_cmn_scanner_rate_limit]

Associates a lookup source or scanner with a rate limit.
Feedback