Verify expected results for PhishTank
Observables are generated automatically by a security incident and scanned by the application. Lookup results are displayed on the Threat Lookup Results tab at the bottom of the security incident record.
Before you begin
Procedure
-
Open the security incident form you are working with and verify that the lookup
has run successfully.
After the application is configured, the flow launches automatically upon incident creation. The execution and completion status of the lookup is then displayed in the work notes in the security incident record.
-
Navigate to the bottom of the security incident and click the Show
All Related Lists related link.
Note:The figures in the following steps are shown with the Tabbed forms setting active in the System Settings. If tabbed forms are not displayed, in the upper-right corner of the banner frame, click the Settings gear icon. In the System Settings dialog box that is displayed, click Forms and verify that Tabbed forms and With the Form are selected.The Threat Lookup Results tab at the bottom of the security incident record displays the lookup results.
The Finding column displays Unknown for records not determined to be malicious. For results matching malicious, Malicious is displayed in the Finding column.
-
In the Observable column, click an observable to open a
record and display more information.
On the observable record, for lookups matching malicious, Malicious is displayed the Finding field. The observable is tagged with the Threat Intelligence source that found it to be malicious, in this case, the PhishTank application.
-
To view raw data, navigate back to the security incident and click the blue
information icon next to an observable.
-
In the window that is displayed, click Open Record.
The link created by the API and the Finding field displayed with the results.