Supported observables for RISKIQ and RISKIQ WHOISIQ
The RISKIQ API supports automatic SSL certificate lookups on IP address, file hash, Certificate Serial Number, domain, and URL observables. URL and domain observables are enriched automatically with the WHOISIQ API. For observable enrichment on other types of observables with the WHOISIQ API, create observables and run lookups manually from the Observables table.
Supported observables
The following table lists the type of APIs used in this integration, and the observables each API supports. The table also indicates whether a lookup occurs automatically when security incidents are created, or if the lookup is run manually from the Observables table.
| API | Supported observables | Lookup (automated or manual) |
|---|---|---|
| RISKIQ SSL certificate API |
|
Automated lookup when incidents are created. Results are displayed on the SSL Certificates tab of the security incident record. |
| RISKIQ WHOISIQ API |
|
Automated lookup when incidents are created. Results are displayed on the Observable Enrichment Results tab on the security incident record. |
| RISKIQ WHOISIQ API |
|
Manual lookup is run from the Observables table. Results are displayed on the Observable Enrichment Results tab on the Observable record. |
Example of a file hash and certificate serial number
This figure shows an example of the file hash and certificate serial number observables used for the SSL certificate lookups for this integration. The file hash refers to a SHA-1fingerprint. This value is displayed in your ServiceNow AI Platform instance without the colon separators. For example, 646D4B7A0C59A66656E94DDADD6C798027EFC10F.
The certificate serial number observable refers to the unique ID or serial number for the entity. This value is also displayed without the colon separators. For example, 00EA0F74B56D44BBBE0000000050DE1DFD.