Observables are generated automatically by a security incident and scanned by the
application. Enrichment results are displayed on the Observable Enrichment
Results and Network Banners tabs.
Before you begin
Role required: sn_si.analyst.
Procedure
-
Open the security incident you're working with and verify that the lookup has run successfully.
Once the application is configured, the workflow launches automatically on incident creation. The execution and completion status of the lookup is displayed in the work notes in the security incident.
-
Review the work notes for more information and how to proceed if you can't verify that the lookup ran successfully.
-
Navigate to the bottom of the security incident and select the Show All Related Lists link in Related Links.
Results are displayed in the Observable Enrichment Results and Network Banners tabs at the bottom of the security incident.
-
With the Network Banners tab selected, select the blue information icon next to an observable.
-
In the dialog box that is displayed, select Open Record to view raw data and more details.
If you don't see results under the Observable Enrichment Results and Network Banners tabs, verify that the observable is a type that is supported
for lookup by the integration.