Submit an IoC Lookup request with Threat Intelligence

If you suspect that websites, files, or links to IP addresses you have received contain malware or other threats, you can create a lookup request. Lookups can also be initiated from security incidents, from the Security Incident Catalog, or in the form of forwarded emails.

Before you begin

Role required: sn_ti.write

About this task

If the Security Incident Response plugin is activated, you can submit threat lookup requests using the following procedure, or you can perform the lookup from within the Security Incident Response module.

Procedure

  1. Navigate to Threat Intelligence > IoC Lookup > Lookups.
    The Lookups list shows all lookups, including those lookups that have not yet executed and those lookups that are complete. Each lookup includes an automatically generated lookup name that identifies the file, hash value, URL, or IP address selected.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Note: Not all fields are supported by all integrated lookup sources.
    Table 1. IoC Lookup
    Field Description
    Number The auto-generated record number for this request.
    Lookup Source Select the third-party lookup source used for this lookup.
    Type Select the type of lookup to perform. Only lookup types defined for the selected lookup source are available.
    Note: If you do not want to upload potentially sensitive files to examine them for malware, you can select the Hash type, if it is supported by the selected lookup source. Also, if you submit the File lookup type from the Security Incident Catalog and the For File lookup requests from lookup requests, lookup only their hash values property is set to True, the hash of the file is submitted for lookup instead of the file.
    Attachment queued for lookup Select the attachment for lookup. This field appears only if File or Hash is selected in the Type field.
    Value The hash, IP address, or URL to look up. This field appears if you selected Hash, IP, or URL in the Type field.
    Note: If you selected Hash or File in the Type field and selected an attachment for lookup, the Value field is read-only. When the record is saved, the Value field is updated with the SHA-256 hash of the selected file.
    State The current state of the request.
    Time requested The date and time the request was created.
    Requested by The name of the requester.
    Status message A status message generated by the third-party lookup source.
    Reference The URL of the third-party lookup source.
    Raw response The raw results of the lookup form the selected lookup source. To view this field, you must personalize the form and add the Raw response field.
  4. If you want to look up files, click the paperclip icon in the form header, then locate and attach the files you want to look up.
    Note: Files have a 5-MB size limit. If you attach a larger file larger, the lookup does not run and the State field in the lookup record shows as Error.
  5. Click Submit.
    After you have submitted the request, you can View the lookup queue to determine the status of the lookup request. The completed lookup can appear similar to the following screen.
    Sample lookup result
    Note: If a lookup on an IP address or a hash returns malware or some other failure, the IP address or hash value is added automatically to the Observable [sn_ti_observable] table. As such, it can be searched for from the Observables form.