How to turn off or stop automatic threat lookup for observables in SIR?

sai yaswanth ku · ‎11-02-2022

I would like to turn off or stop automatic threat lookup for observables in SIR?

Is there any possibility to limit automatic threat lookup for particular set of SIR categories?

andy_ojha · ‎11-04-2022

Hey there,

One tool that may help - you can apply Security Tags to certain Observables, either manually by hand or automated via Security Tag Rules - to omit them from enrichment (i.e. Threat Lookups).

Some use-cases would be avoiding Threat Lookups for your internal corporate URLs as certain URL observables may consume unnecessary API calls to your Threat Providers.

The Security Tag you can use is called "Enrichment: Allowlist" .... The Name is a bit misleading - but that is what is used to determine if enrichment can be skipped (Threat Lookups).

This is especially helpful if you employ the User Reported Phishing capability that automatically parses and attaches Observables from email messages to an SIR, and in turn triggers Threat Lookups automatically.

View solution in original post

andy_ojha · ‎11-04-2022

Hey there,

One tool that may help - you can apply Security Tags to certain Observables, either manually by hand or automated via Security Tag Rules - to omit them from enrichment (i.e. Threat Lookups).

Some use-cases would be avoiding Threat Lookups for your internal corporate URLs as certain URL observables may consume unnecessary API calls to your Threat Providers.

The Security Tag you can use is called "Enrichment: Allowlist" .... The Name is a bit misleading - but that is what is used to determine if enrichment can be skipped (Threat Lookups).

This is especially helpful if you employ the User Reported Phishing capability that automatically parses and attaches Observables from email messages to an SIR, and in turn triggers Threat Lookups automatically.

sai yaswanth ku · ‎11-07-2022

@andy_ojha firstly thanks for the response! I have learnt new thing about security tags.

The actual thing is "Previous implementation partner had disabled the automatic threat lookup so, we thought of enabling automatic threat lookups for certain category."
In process reverse engineering i questioned about like how to stop or turnoff automatic threat lookups. could you please guide how to "turn on" automatic threat lookups?
could you please address this!

Fatih Karacaer · ‎11-17-2022

There is a scheduled job named "Process Capability Implementations" which runs every 15 seconds. This take care of capability executions. Threat Lookups are also capabilities. Probably the previous partner disabled this scheduled job.

If you activate it you will solve the problem.

I highly recommend using the newer capability framework 2. It is much more flexible and you can customize the threat lookups according to your requirements.

https://docs.servicenow.com/pt-BR/bundle/sandiego-security-management/page/product/security-incident...