Analyze and assess threat IoC’s

  • Release version: Xanadu
  • Updated August 1, 2024
  • 1 minute to read

    • Learn how to analyze an IOC’s which are a threat and notifying the security incident team.

    Before you begin

    Role required:
    • System Administrator (view, create or edit)
    • sn_sec_tisc.admin (view)

    About this task

    Whenever a sighting search enrichment is requested:
    • if the observable is sighted (count > 0) and
    • Observable Reputation is Malicious and
    • Observable Threat score is > 80 and
    • Observable Confidence > 80

    Procedure

    1. Navigate to All > Threat Intelligence Security Center > Administration.
    2. Select Automated Flows.
    3. Select Analyze, assess the IoCs related to the threat and create incident action link to view the respective rule details in the flow designer.
    4. View the flow designer action for the following trigger: 
      Sighting Created where (Sighting count greater than 0, and Observable. Reputation is Malicious, and Observable. Threat Score greater than 80, and Observable. Confidence greater than 80)
    5. If Sighting Created where (Sighting count greater than 0, and Observable. Reputation is Malicious, and Observable. Threat Score greater than 80, and Observable. Confidence greater than 80), then:
      1. Create an security incident and add the observable to the incident.
      2. Add Observables to Security Incident V1.
      3. Send an email communication.
        Analyze, assess the IoC’s related to the threat and create incident.