Select one or more implementations as applicable.

Before you begin

Role required: sn_si.analyst

The available implementations are listed. Select the implementation(s), after you select them only the supported records will be submitted against each selected implementation(s).

Procedure

  1. Navigate to Workspaces > Security Incident Response Workspace.
  2. Open any security incident.
  3. Go to Investigation tab of the workspace.
    The investigation tab with the entry points lists is displayed.
    Investigation tab of the workspace
  4. Select the associated observable from the entry point lists.
    For example, select Associated Observables related list. The corresponding observables records are displayed.
    Note: You can select an implementation to perform a lookup on the selected observables, or you can perform the lookup by selecting all implementations.
    Figure 1. Run Threat Lookup
    Run Threat Lookup
  5. Select any observable check box that you wish to perform the threat lookup.
  6. Navigate to the related lists actions drop down that is displayed on top of the related lists page.
  7. Select Run Threat Lookup to perform threat intel related integration capabilities action.
    Note: The Run Threat Lookups capability performs threat intelligence lookups to determine whether one or more observables are associated with any known security threats.
    The Run Threat Lookup Implementations modal screen is displayed.
    Figure 2. Run Threat Lookup Implementations
    Run Threat Lookup Implementations
  8. Select one or more implementations from the list.
  9. Click Submit.
    After the selected records are submitted, a message is displayed that the lookup is being executed. Once the implementation is processed in the backend, the results are displayed in the Threat Lookup Results related list section. Also, the respective implementation activity is displayed in the Activity section. Two activities are displayed, one is when the implementation execution is started and the second one is when the execution is completed.
    User Reported Phishing view: Associated Observables section.
    Note: The Threat intel related lists such as the associated observables related lists are displayed in the Threat Lookup Results section, and the Sightings Search related lists are displayed in the Sightings Search Results section under the Related Records.