Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Perform threat enrichment on observables

Log in to subscribe to topics and get notified when content changes.

Perform threat enrichment on observables

You can perform threat intelligence enrichment on one or more observables to determine whether they are associated with known security threats. The implementations that run depend on the ones you have activated.

Before you begin

Before you can perform enrichment, you must activate the Threat Intelligence plugin. You must also install the plugin for one or more of the enrichment implementations:

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > IoC Repository > Observables.
  2. Do one of the following steps:
    • To perform a lookup on more than one observable, select the observables, click Actions on selected rows, and select Run threat lookup.
    • To perform a lookup on a single observable, open the observable record, and click the Run threat lookup related link.
    Run Threat Lookup slushbucket
  3. Select the threat lookup implementations you want to use, or select All to perform lookups using all of the active implementations, then click Submit.
    A message indicates that the threat lookups have begun. The Security Operations Integration - Threat Lookup workflow runs and also executes the implementation workflows for the threat lookup implementations you selected. The lookups are performed and the results are generated.
  4. When the lookups are completed, you can click the Threat Lookup Results tab to view the results.
    Threat Lookup Results
    Note:
  5. To see additional details, including raw results for a specific lookup, click the Result value.
    Note: When the VirusTotal or OPSWAT Metadefender implementations are used, the details are consolidated, as shown below.
    Threat Lookup Results details
Feedback