For observables determined to be malicious, and not associated with a specific Now Platform security incident, you submit Block List entries from the block list.

Before you begin

Role required: Security Incident Administrator (sn_si.analyst)

About this task

When you want to block an observable that you have determined is malicious or allow an observable you have determined is not malicious, and the observable is not associated with a specific ServiceNow AI Platform security incident record, you submit Block List entries directly from the block list. Examples of these types of Block List entries might be URLs or domains for specific sites.

Procedure

  1. Navigate to All > Check Point NGTP Integration > Block Request Entries.
    Block Request List Entries
  2. Click the Block Request Lists module.
  3. In Check Point Block Request List Entries list, click New.
  4. In the Entry value field, enter a value for your observable.
    The two possible outcomes of this entry:
    • The remaining fields on the form are completed automatically.
    • A matching observable is found, and a message is displayed that a matching observable exists. Select the Block List you want to attach this entry to and click Submit. Select the Block List you want to attach this entry to prior to setting the Expiration period.
    A message is displayed that instructs you to complete the form. A matching observable has not been found, and you must complete the form. After you complete it, select the Block List you want to attach the observable to and click Submit. An observable record is created. The following figure shows an example of an existing domain observable and how the fields are completed automatically.
    New record
  5. Click the search icon to select the Block List you want to attach the entry to.
  6. Click Submit.
  7. If you have email approval configured in your workflow, an approval email request is sent.
    If a message is displayed that requests you to fill in the rest of the information manually, fill in the fields.
    New record with no matching observables
  8. Click Submit.
    If you have changed the default expiration period of the Block List entry, a warning confirmation dialog box is displayed indicating that the period differs from the selected Block List.
    Expiration period message
    Option Description
    Yes Confirms your expiration override, saves the record, and returns you to the Check Point Block List Entries. If you have email approval configured in your workflow, an approval email request is sent.
    No Cancels the override. At this point, you can change the value for the Expiration period.

    After changing the value, click Submit to return to the Check Point Block Entries list.

  9. If not displayed, navigate to Check Point Block Request List Entries, and note that the status for the entry is Pending.
    List entry ready for approval
    The entry is now ready for approval.