Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Perform lookups on observables

Perform lookups on observables

You can perform threat intelligence lookups on one or more observables to determine whether they are associated with known security threats. The scanning implementations that run depend on the ones you have activated.

Before you begin

Before you can perform lookups, you must activate the Threat Intelligence plugin. You must also install the plugin for one or more of the scanning implementations:

Role required: sn_ti.write

Procedure

  1. Navigate to Threat Intelligence > IoC Repository > Observables.
  2. Do one of the following steps:
    • To perform a lookup on more than one observable, select the observables, click Actions on selected rows, and select Run threat lookup.
    • To perform a lookup on a single observable, open the observable record, and click the Run threat lookup related link.
    Run Threat Lookup slushbucket
  3. Select the threat lookup implementations you want to use, or select All to perform lookups using all of the active implementations, then click Submit.
    A message indicates that the threat lookups have begun. The Security Operations Integration - Threat Lookup workflow runs and also executes the implementation workflows for the threat lookup implementations you selected. The lookups are performed and the results are generated.
  4. When the lookups are completed, you can click the Threat Lookup Results tab to view the results.
    Threat Lookup Results
    Note:
  5. To see additional details, including raw results for a specific lookup, click the Result value.
    Note: When the VirusTotal or OPSWAT Metadefender implementations are used, the details are consolidated, as shown below.
    Threat Lookup Results details