Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

View an IoC

IoCs, sometimes referred to as indicators, are most typically retrieved from a threat data source as STIX data. If needed, you can also create IoCs.

Before you begin

Role required: sn_ti.write

Procedure

  1. After the scheduled job has retrieved IoC data from the defined data source, navigate to Threat Intelligence > IoC Repository > Indicators.
    The retrieved IoCs are listed.
  2. Click the IoC you want to view.
  3. The following information displays.
    Field Description
    Title A descriptive name for this indicator.
    First Seen The first date this indicator was observed in the system.
    Last Seen The most recent date this indicator was observed in the system.
    Encountered count The number to times the indicator has been encountered.
    Sourced count The number to times the indicator was imported from defined threat sources.
    Notes Any additional notes about the indicator. This field can also contain JSON key/value pairs.
  4. You can click any of the following related lists to view additional information.
    Related List Description
    Related Observables Lists observables that are linked to the current indicator.
    Related Attack mode/method Lists related attack modes/methods that have been identified as related to this indicator.
    Associated Type Lists other indicator types that are associated with this IoC.
    Indicator Sources Lists the sources of this indicator, along with the confidence level of the source.
    Associated Tasks Lists all tasks, changes, and incidents associated with the IoC.
    Indicator Metadata If the Notes field contains valid JSON key/value pairs, they are parsed and displayed. If no JSON key/value pairs are present, or if the JSON is invalid, this related list is not displayed.