Business rules installed with Threat Intelligence

Threat Intelligence adds the following business rules.
Business rule Table Description
Add Case IOC Entry
  • Task Attack Mode/Method [sn_ti_m2m_task_attack_mode]
  • Task Indicator [sn_ti_m2m_task_indicator]
  • Task Observable [sn_ti_m2m_task_observable]
Adds an observable to a case.
Aggregate to sighting result Sighting Search Detail

[sn_ti_sighting_search_detail]

Retrieves and displays sightings search detail information.
Associate tasks to indicator Observable Indicator

[sn_ti_m2m_observable_indicator]

Find tasks associated with an observable and associate them with an IoC,
Check for duplicates Observable

[sn_ti_observable]

Prevents duplicate entries in the observable table.
Find observable type Observable

[sn_ti_observable]

When an observable is added, the type is determined.
Handle file malware detection Lookup

[sn_ti_scan]

Deletes a lookup attachment after a lookup reports "failed."
Hash selected file Lookup

[sn_ti_scan]

Retrieves the hash value of a file to look up.
Indicator Detection Task Observable

[sn_ti_m2m_task_observable]

Determines if the observables on a task indicates an indicator.
IoC Lookup Attachment

[sys_attachment]

Security Scan Request

[sn_si_scan_request]

Creates lookups from security lookup requests.
Lookup

[sn_ti_scan]

Triggers the Threat Intelligence - Run Lookup workflow when a lookup object is inserted or updated and meets the condition specified in the IoC Lookup business rule.
Link observables label

[sn_si_incident]

Adds observables to the security incident based on the data in the fields of the IoC section.
Mark Excluded when Removed Security Case IoC

[sn_ti_case_ioc]

When an artifact is marked as excluded, it is removed from the list.
Notify Lookup Completed Lookup

[sn_ti_scan]

Sends an email notification to a lookup requester when the lookup has completed. The notification includes the names of the lookup sources, lookup numbers, number of threats found, and lookup engines that detected threats. If multiple lookups are performed as a group, the notification is not sent until all lookups are completed.
Parse JSON from notes Indicator

[sn_ti_indicator]

Detects and parses valid JSON key/value pairs in the Indicator of Compromise Notes field and displays them in the Indicators of Compromise Metadata related list.
Prevent delete if lookup type default Supported Lookup Type

[sn_ti_supported_scan_type]

Lookup Source

[sn_ti_scanner]

Prevents deletion of a lookup type when it is selected as the default.
Prevent Removing Indicator Types Associated Indicator Types

[sn_ti_m2m_indicator_indicator_type]

Prevents the deletion of indicator types that would result in issues with data integrity, if deleted.
Reactive IoC when observable found Observable

[sn_ti_observable]

Reactivates an observable when it is inactive and recently found.
Remove Exclusion when Added Security Case IoC

[sn_ti_case_ioc]

When an artifact is marked as Included, it is removed from the Exclusion list.
Reset lookup status when obs changes Task Observable

[sn_ti_m2m_task_observable]

When an observable or the context changes, cancel any requested lookup.
Restrict observable to supported type Observable Indicator

[sn_ti_m2m_observable_indicator]

Limits the observables available to an indicator based on their types.
Roll up threat to SI Lookup

[sn_ti_scan]

When a threat is found during a lookup, a workflow launches that rolls up the lookup summary report to the originating security incident as a work note.
Set confidence Indicator Source

[sn_ti_m2m_indicator_source]

Sets the confidence of an indicator determined by the source.
Set lookup field to attachment Lookup

[sn_ti_scan]

Sets the lookup attachment reference field to the attachment on the lookup form.
Set Mirror Values Security Case IoC

[sn_ti_case_ioc]

When an IoC changes, mirror the change in the associated case.
Set order to next available Supported lookup type

[sn_ti_supported_scan_type]

Sets the order of a supported lookup type to the largest available.
Trigger Workflows Lookup

[sn_ti_scan]

Triggers Threat Intelligence workflows when conditions are met.
Trim observable value Lookup

[sn_ti_scan]

Trims white space from the value of an observable.
Update first seen Indicator Source

[sn_si_m2m_indicator_source]

Attack mode/method

[sn_ti_attack_mode]

Updates the first seen field.
Update indicator first seen Indicator Source

[sn_vul_m2m_indicator_source]

Sets the first seen field on an indicator.
Update last seen Indicator Source

[sn_vul_m2m_indicator_source]

Sets the last seen field on an indicator.
Update lookup name Lookup

[sn_ti_scan]

Sets the lookup name of a lookup to a combination of the value of the object being scanned.
Update observable sighting count [sn_st_m2m_task_observable] Increments/decrements the Incident count (sn_ti_observable.sighting_count) value on a security incident.
Update parent Lookup

[sn_ti_scan]

Updates a lookup parent with the results of a lookup.
Update sighting search detail Sighting

[sn_ti_sighting]

After a sightings search is updated, the associated detail is updated.
Update the queue Lookup

[sn_ti_scan]

Update a lookup queue entry for a lookup record when the lookup state changes.
Validate Threshold Source Rate Limit

[sn_ti_scanner_rate_limit]

Verifies that the rate limit is at least zero.