TISC Library Objects form view

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TISC Library Objects form view

    The Threat Intelligence Security Center (TISC) Library Objects form view provides a comprehensive interface for managing and analyzing Security Descriptor Objects (SDOs). It centralizes various features and tabs that allow ServiceNow customers to view, edit, enrich, and relate threat intelligence data efficiently within the platform.

    Show full answer Show less

    Key Features

    • Details tab: View or edit the SDOs directly in form view.
    • Source Records tab: Displays aggregated source records from feeds or manual entries that contribute to the record.
    • Related Records tab: Lists all records related to the current SDO, facilitating context and linkage.
    • Relationship Graph tab: Visualizes the connections and relationships among related threat intelligence objects.
    • Internal Intelligence tab: Shows internal intelligence records associated with the object for deeper insights.
    • Enrichment Results tab: Lists integrations and enrichment data linked to the object to enhance analysis.
    • Form banner: A read-only summary block showing key fields such as Type, Confidence, Threat Score, Number of Sightings, Status, and Expiration Time.
    • Form banner UI actions: Security controls specifically for Observables, enabling quick actions like adding to allow, deny, or watch lists.
    • Form UI actions: Includes useful actions such as adding objects to cases, running enrichment, saving, and deleting records.
    • Right Contextual menu: Offers quick access to attachments, notes, and additional insights related to the objects. Attachments pane is shown by default but can be disabled via preferences.
    • Search in Navigator: Allows searching for various threat intelligence objects within the TI library.
    • Search in Threat Intel Library: Enables targeted searches across source records with flexible criteria, including wildcards and keyword modification. Results open in a separate tab for easy review and navigation.

    Practical Benefits for ServiceNow Customers

    • Efficiently manage and enrich threat intelligence data with a centralized interface.
    • Quickly access relationships and context through visual graphs and related records.
    • Streamline investigation workflows by adding objects to cases and running enrichment directly from the form.
    • Control observables with actionable UI controls to maintain allow, deny, and watch lists.
    • Use powerful search tools to locate and filter intelligence records quickly without leaving the workspace.
    • Maintain comprehensive documentation and attachments linked to threat objects for audit and analysis.

    The Threat Intelligence Security Center objects home page consists of the following features.

    Use or navigate to these following sections and learn more about each SDOs in detail.

    TISC Objects home page view
    Table 1. TISC library objects form view
    Order Menu/Tab Description
    1 Details tab Use this section to view or edit the SDOs in the form view.
    2 Source Records tab Source records contribute to an aggregated record as displayed in the form view. These source records are auto created from feeds or manually created by the user.
    3 Related Records tab Lists all the related records associated with the SDO.
    4 Relationship Graph tab Visual representation of the related objects.
    5 Internal Intelligence tab Lists the internal intelligence records of the associated objects.
    6 Enrichment Results tab Lists the enrichment integrations associated with the objects.
    7 Form banner This is read-only section, which contains the key fields such as Type, Confidence, Threat score, Number of Sightings, Status and Expiration time.
    8 Form banner UI actions These are the security control lists that are available for you to click if they are needed to be added to the allow list, removed from the allow list (Deny list), or add it to the watch list based on the observables. Click to:
    • add to watch list
    • add to deny list
    • add to allow list
    Note:
    The Form actions are applicable only to Observables.
    9 Form UI actions The available form UI actions are:
    1. Add to Case: Add the objects to the case.
    2. Run Observable Enrichment: Run the enrichments to the selected objects.
    3. Save: Save the record.
    4. Delete: Delete the record.
    10 Right Contextual menu Provides easy access to the quick controls such as attachments, notes, and so on, based on the tasks associated with that object. This option is available across the remaining two tabs for the threat analyst to access whenever required.
    The contextual menu provides easy navigation to:
    1. Attachments: Attach any file that are related to the objects.
      Note:
      Whenever you either create a new observable, indicators, or any objects or view the existing objects, the Attachments pane is by default displayed on the respective form view. You can either click the Attachments icon on the right-contextual menu or go to Preferences > Workspaces and disable the Show the sidebar. For more information, see Configure Next Experience Workspace preferences.
    2. Insights: Add any additional information related to the observables or indicators which are associated with that object.
    NA Search in Navigator Use this search function to search for various objects within the Threat Intel (TI) library. For example, you can search for all observables records within the TI library module.
    NA Search in Threat Intel Library Use this search function to search for the source records across multiple sources based on your search criteria. The results will be displayed in a separate Search Results tab. For example, for an IP address 104.227.137.35, if you need to search the records, by entering 104.* then searching will narrowed down the records and displays the records that contains the IP address starting with 104 in the separate Search Results tab.
    • You can also modify the existing search keywords in the Search Criteria on the same Search Results page without going back to the Threat Library page.
    • Similarly, you can also search based on the name and description of any particular record.
    • Once the records are filtered and listed, you can click on the list view which will take you to the respective record in a new tab.