How is the threat lookup getting created? I have integrated with VirusTotal.

haridevan1
Tera Contributor

When and what makes threat lookup trigger? In what all case the threat lookup gets triggered? Is there some out-of-the box which can make the threat lookup trigger automatically? 

1 ACCEPTED SOLUTION

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there,

The Threat Lookup / Enrichment also occurs when an Observable is created and associated to an SIR. 

- So on day 1, if an SIR Record is created with 5 Observables, where these 5 Observables do not already exist -> an enrichment / Threat Lookup is performed against those Observables, using the integrations you have configured, such as VirusTotal...

- On day 8, if 1 out of the same 5 Observables is associated to a different SIR record, another "Threat Lookup" is performed against the single Observable.

The Threat Lookups occur automatically when a new Observable is created and associated to an SIR, as well as when an existing Observable is associated to an SIR.

If you manually create an Observable that is not associated to an SIR - the Threat Lookup does not occur automatically.  You can go to the Observable record and manually request a Threat Lookup.  Although you could probably customize this functionality, I don't believe you gain much value here. 

You want your Analysts to look at Observables as they are associated to an SIR record.  You want to focus on the Observables that are actually relevant to your environment (i.e. associated to an SIR record), and you want the most up to date information as events are occurring.

You can test this out by creating a new SIR record or navigating to an existing record:
 - Scroll down on the page
 - Look for 'Related Links', select 'Show IoC'
 - Take note of the Observables
 - Select 'Add Multiple Observables'
 - Wait a few seconds, refresh the page
 - Scroll down on the Page, and take note of the Threat Lookup Results, automatically triggered fro the newly created Observable

 

find_real_file.png

find_real_file.png

 

find_real_file.png

View solution in original post

4 REPLIES 4

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there,

The Threat Lookup activity can occur automatically and manually.

When you associate a new Observable to a Security Incident Response (SIR) record - such as when a Security Incident is created using the 'User Reported Phishing' capability -> the Observables will go through the respective Threat Lookup workflows based on Observable Type and enrichment integrations you have configured.  With VirusTotal, a specific Workflow will get triggered to perform a Threat Lookup against supported Observables, targeted to VirusTotal.

From the SIR record, you can also navigate to the bottom of the record and select one more Observables, and manually trigger a Threat Lookup against them using "Run Threat Lookup" from the actions dropdown.  Based on the integrations you have configured (e.g. VirusTotal, ThreatCrowd, Hybrid Analysis, etc) -> and the Observable Type (e.g. IPV4, URL)... a Threat Lookup workflow will be triggered to enrich these Observables and show you a status from the 3rd party.

There are three workflows that you can review that support this:

 - Security Operations Integration - Threat Lookup

 - Security Incident Response - Create IoC Lookup Request for IoC Changes 

 - Threat Lookup - Virus Total

haridevan1
Tera Contributor

I am interested in getting the threat lookup automated as the observables get created. Please help.

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there,

The Threat Lookup / Enrichment also occurs when an Observable is created and associated to an SIR. 

- So on day 1, if an SIR Record is created with 5 Observables, where these 5 Observables do not already exist -> an enrichment / Threat Lookup is performed against those Observables, using the integrations you have configured, such as VirusTotal...

- On day 8, if 1 out of the same 5 Observables is associated to a different SIR record, another "Threat Lookup" is performed against the single Observable.

The Threat Lookups occur automatically when a new Observable is created and associated to an SIR, as well as when an existing Observable is associated to an SIR.

If you manually create an Observable that is not associated to an SIR - the Threat Lookup does not occur automatically.  You can go to the Observable record and manually request a Threat Lookup.  Although you could probably customize this functionality, I don't believe you gain much value here. 

You want your Analysts to look at Observables as they are associated to an SIR record.  You want to focus on the Observables that are actually relevant to your environment (i.e. associated to an SIR record), and you want the most up to date information as events are occurring.

You can test this out by creating a new SIR record or navigating to an existing record:
 - Scroll down on the page
 - Look for 'Related Links', select 'Show IoC'
 - Take note of the Observables
 - Select 'Add Multiple Observables'
 - Wait a few seconds, refresh the page
 - Scroll down on the Page, and take note of the Threat Lookup Results, automatically triggered fro the newly created Observable

 

find_real_file.png

find_real_file.png

 

find_real_file.png

Have you got any solution to automatically trigger the threat lookup workflow when an observable is created?