Script includes installed with Threat Intelligence

Threat Intelligence adds the following script includes.
Script include Description
AddAnnotations Used to add annotations to a specific case.
AddExclusions Used to exclude or include the security case from the list.
case_addition_external Called via a REST API, used to add related list artifacts (security incidents, observables, CIs, IoCs, or users) to a security case.
InactivateExpiredThreatInformation Inactivates expired threat information. Uses Threat Intelligence properties for age calculation.
ObservableSightingsHandler

Main script that saves the results from running a sightings search.

ScanHttpMultipartBuilder Takes a file and updates a RESTMessageV2 request body with the file contents. Also adds a request header to change the content type to multipart/form-data.
SimpleBlocklistProcessor Plain text processor, chiefly used to parse and insert processor records. Because this script include does not use streaming APIs, the payload must be less than 5 MB for attachments.
STIXParser A class for processing STIX XML data.
TAXIIClient Facilitates communication with a TAXII server to retrieve collection information.
TAXIICollectionDataProcessor Processor for data returned by TAXII Collection data retrieval.
TAXIISourceIntegration Integration for running a REST call to retrieve data from a TAXII collection. The data returned by this integration is then passed to a data processor (typically TAXIICollectionDataProcessor).
TAXIIV1_1RequestBuilder Builds TAXII requests in TAXII 1.1 format.
TAXIIV1_1ResponseParser Parses the REST response body that conforms to the TAXII 1.1 specification.
ThreatAdditionalInfo The API for acquiring additional information for a specific IP address or URL. This script include updates detailed information on the Observables screen using information retrieved using the following two Threat Intelligence properties:
  • The domain name to retrieve additional information for IP addresses/URLs [sn_ti.ip_lookup.web_site]
  • The API key to be used for the above domain, if any [sn_ti.ip_lookup.api_key]
ThreatCaseUtil Called via a REST API, loads/refreshes the data on the case form, fetches the related list for security case, and holds the list of related lists, respective column information, and pagination logic.
ThreatAJAX Contains AJAX functions to be used throughout the application.
ThreatScannerIntegrationBase A base class for Threat integrations to extend.
ThreatUtils Various functions for use throughout the Threat Intelligence plugin.
The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Threat Intelligence, adds the following script includes.
Script include Description
Scanner The lookup source and scanner implementations for Threat Intelligence and Vulnerability Response.
ScannerIntegrationBase Base class for lookup source and scanner integration implementations.
ScannerProcessorBase Base class for lookup source and scanner processor implementations.
ScannerUtils Common lookup source and scanner helper methods.
ScanQueueManager The lookup and scan queues manager implementation for Threat Intelligence and Vulnerability Response.