Perform lookups on observables

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • You can perform threat intelligence lookups on one or more observables to determine whether they’re associated with known security threats. The scanning implementations that run depend on the ones you’ve activated.

    Before you begin

    Before you can perform lookups, you must activate the Threat Intelligence plugin. You must also install the plugin for one or more of the scanning implementations:

    Role required: sn_ti.write

    Procedure

    1. Navigate to All > Threat Intelligence > IoC Repository > Observables.
    2. Do one of the following steps:
      • To perform a lookup on more than one observable, select the observables, click Actions on selected rows, and select Run threat lookup.
      • To perform a lookup on a single observable, open the observable record, and click the Run threat lookup related link.
      Run Threat Lookup slushbucket
    3. Select the threat lookup implementations you want to use, or select All to perform lookups using all of the active implementations, then click Submit.
      A message indicates that the threat lookups have begun. The Security Operations Integration - Threat Lookup Flow runs and also executes the implementation workflows for the threat lookup implementations you selected. The lookups are performed and the results are generated.
    4. When the lookups are completed, you can click the Threat Lookup Results tab to view the results.
      Threat Lookup Results
      Recent Threat Lookup Result: You can also see the latest or recent threat lookup results from each integration vendor when you click the Recent Threat Lookup Result tab.
      Note:
      The Recent Threat Lookup Result tab is not a part of the base system.
      To enable this tab, perform the following:
      1. Right-click on the form header.
      2. Navigate to Configure > Related Lists.
      3. Locate Recent Threat Lookup Results on the Available list and move it to the Selected list.
      4. Click Save.
        You can now view the recent threat lookup results from each integration vendor in the Recent Threat Lookup Result tab.
        Recent Threat Lookup Result
    5. To see additional details, including raw results for a specific lookup, click the Result value.
      Note:
      When the VirusTotal or OPSWAT Metadefender implementations are used, the details are consolidated, as shown below.
      Threat Lookup Results details