An IoC lookup automatically runs whenever observables are added to a security incident. Also, if your security incident has attachments, they can be easily found with the press of a button.

1. Create a new security incident or open an existing one if you intend to attach new files to it.
2. Click the paperclip icon in the form header and attach one or more files.
3. When you have completed your entries on the form, right-click the form header and click Save.
   After the record has been saved, a Lookup attachments button appears.
4. Click Lookup attachments.
   Note: The work notes under Incident Details report the progress of the lookup process.
5. You can click the lookup number at the end of the message to view the lookup record. You can click the Lookup reference link to view detailed results.

   

If the Security Incident Response plugin is activated, you can submit threat lookups for files, hash values, URLs, and IP addresses from the Security Incident Catalog. The requests are submitted and you can view the results in the My Requests module.

1. Navigate to Self-Service > Security Incident Catalog.
2. Click IoC Lookup.
3. Click Lookup files, hash values, URLs or IP addresses.
4. Enter one or more of the following:

   Table 1. IoC Lookup request

   Item to lookup	Description
   Files	Click the paperclip icon, then locate and attach the files you want to lookup. Note: By default, the Lookup Type for File is inactive. Files are converted and submitted as a hash value.
   URLs	In the URLs field, enter the URLs you want to lookup, separated by commas. For example: www.abc.com,www.xyz.net.
   IP addresses	In the IP addresses field, enter the IP addresses you want to lookup, separated by commas.
   Hash values	In the Hash values field, enter the hash values you want to lookup, separated by commas. Note: When the Lookup Type for File is inactive, this value is the default action for both File and Hash values.

5. When you have made your selections, click Submit.
6. To view the status and/or results of the lookups, navigate to Self-Service > My Requests.
7. Click the SR number for the request.
   The work notes under Activity list the tasks performed during the lookup, including the creation of individual lookups for each file, hash value, URL, or IP address, and the lookup results.

If your security incident has one or more configuration items (servers, computers, and so on), they can be scanned for vulnerabilities from the Security Incident Response form.

1. Create a security incident and include at least one resource. You can also open an existing incident that has configuration items.
2. When you have completed your entries on the form, right-click the form header and click Save.
   After the record has been saved, a Scan for Vulnerabilities related link appears.

   Note: If the Scan for Vulnerabilities related list is not shown, you must navigate to Vulnerability > Scanners, set up at least one scanner, and set its default to true.
3. Click Scan for Vulnerabilities.
   Note:

   A message appears at the top of the security incident form, along with a link to the scan record.

   

4. You can click the scan request number to view the scan record.
   The incident details show the results of the scan in the Security Scan Request record.

You can submit vulnerability scans for CIs and IP addresses from the Security Incident Response catalog. The requests are submitted and you can view the results in the My Requests module.

1. Navigate to Self-Service > Security Incident Catalog.
2. Click Vulnerability scan.
3. Click Scan Configuration Item and IP addresses.
4. Enter one or more of the following to be scanned.

   Table 2. Vulnerability Scanners

   Item to be scanned	Description
   Configuration item	In the Configuration Item to scan field, select the CI to be scanned.
   IP addresses	In the IP addresses to scan field, enter the IP addresses, separated by commas.

5. When you have made your selections, click Submit.
   If an observable is found, an indicator is created, according to STIXX standards.
6. To view the status and/or results of the scans, navigate to Self-Service > My Requests.
7. Click the SR number for the request.
   The work notes under Activities list the tasks performed during the scan, including the creation of individual scans for each CI or IP address, and the results of the scans.