Submit block list entries directly from the Block List Entry Table
- UpdatedJan 30, 2025
- 4 minutes to read
- Yokohama
- Security Incident Response integrations
For observables determined to be malicious, and not associated with a specific Now Platform security incident, you submit Block List entries from the block list.
Before you begin
Role required: Security Incident Administrator (sn_si.analyst)
About this task
When you want to block an observable that you have determined is malicious or allow an observable you have determined is not malicious, and the observable is not associated with a specific ServiceNow AI Platform security incident record, you submit Block List entries directly from the block list. Examples of these types of Block List entries might be URLs or domains for specific sites.
Procedure
-
Navigate to All > Check Point NGTP Integration > Block Request Entries.
- Click the Block Request Lists module.
- In Check Point Block Request List Entries list, click New.
-
In the Entry value field, enter a value for your
observable.
The two possible outcomes of this entry:
- The remaining fields on the form are completed automatically.
- A matching observable is found, and a message is displayed that a matching observable exists. Select the Block List you want to attach this entry to and click Submit. Select the Block List you want to attach this entry to prior to setting the Expiration period.
- Click the search icon to select the Block List you want to attach the entry to.
- Click Submit.
-
If you have email approval configured in your workflow, an approval email
request is sent.
If a message is displayed that requests you to fill in the rest of the information manually, fill in the fields.
Field Description Observable type Observable type that is supported from the dialog. Block List name Block List you want to the entry to. Note: Select the Block List you want to attach the entry to prior to setting the Expiration period.Enable override (default is selected) Lookup result or source. When configured, permits you to enter a Lookup result and the source used to find the results. These fields are typically populated when a security incident record is created. In this case, there is no lookup result or source, and you fill in these fields in manually. Lookup Result Select Unknown or Malicious. Source Source that performs a threat lookup on the Block List entry, for example, ThreatCrowd, etc Expiration period The expiration period inherited from the Block List by default. You can override this value, but only during the creation of the entry. 0 indicates that the Block List entry never expires.
If you change this value, this entry is active for the number of days you enter. You can enter a minimum value of 1, and there is no maximum value.
For example, if you enter 30 days at 2:01 PM on May 1, the Block List entry will expire at 2:01 PM on May 31. However, scheduler checks for expired entries at 00:00 every day and changes the state of the entry to ‘expired’ at 00:00 June 1.
-
Click Submit.
If you have changed the default expiration period of the Block List entry, a warning confirmation dialog box is displayed indicating that the period differs from the selected Block List.
Option Description Yes Confirms your expiration override, saves the record, and returns you to the Check Point Block List Entries. If you have email approval configured in your workflow, an approval email request is sent. No Cancels the override. At this point, you can change the value for the Expiration period. After changing the value, click Submit to return to the Check Point Block Entries list.
-
If not displayed, navigate to Check Point Block Request List
Entries, and note that the status for the entry is
Pending.
The entry is now ready for approval.