Security Operations Integration - Publish to Watchlist workflow The Security Operations Integrations - Publish to Watchlist workflow is a high-level workflow independent of integrations. It adds observables to third-party watchlists that support the capability. Use it to fulfill an integration. Before you beginRole required: sn_si.analyst About this task This workflow is visible and runs only when an integration is available. It is triggered from the Observables or Associated Indicators tab on a security incident. Workflow process activities include: Determine Observables Filter Whitelisted Observables Observable Execution Tracking - Begin Parallel Flow Launcher Get Supported Security Capabilities Capability Execution Tracking - No Impls activity Capability Execution Tracking - Complete Determine Observables activityThe Determine Observables workflow activity determines which observable to include in the workflowFilter Whitelisted Observables activityThe Filtered Whitelisted Observables workflow activity removes observables that can be ignored from the list of observables. This activity can accelerate the investigation and remediation process.Execution Tracking - Begin (Observables) activityThe Execution Tracking - Begin (Observables) workflow activity starts the auditing process for a Security Operations Integration workflow that operates on observables. Get Supported Security Capabilities activityThe Get Supported Capabilities workflow activity retrieves the name and number of integrations that are active and support the requested capability. Capability Execution Tracking - No Impls activityThe Capability Execution Tracking - No Impls workflow activity creates an error record when no integration capability implementation is found. Capability Execution Tracking - Complete activityThe Capability Execution Tracking - Complete workflow activity updates the audit record when the workflow is complete.