The calculator comes with a sample script that you can customize to define how observable findings are identified according to your organization's specific needs. For third-party integrations that supply computed results, the calculator maps those results to supported findings within the ServiceNow base system.

Key Features

• Rollup of Multiple Threat Lookup Results: When multiple vendors provide results for the same observable, the calculator consolidates these findings using a defined priority:
  • If any vendor classifies the observable as Malicious, the overall finding is Malicious.
  • If none are Malicious but at least one is Suspicious, the overall finding is Suspicious.
  • If all vendors report Clean, the overall finding is Clean.
  • If none are Malicious or Suspicious but one is Unknown, the overall finding is Unknown.
• Viewing Calculators: Administrators with the snsectisc.admin role can view existing Threat Lookup Reputation Calculators to understand how reputations are computed for observables per vendor integration.
• Creating Calculators: Only one Threat Lookup Reputation Calculator can be active per threat lookup vendor at a time. Administrators can create new calculators by specifying:
  • Name of the calculator
  • Active status to enable calculation
  • The associated threat lookup vendor (e.g., CrowdStrike Falcon Intelligence)
  • A reputation script, which can be customized or use the base script provided

Practical Use for ServiceNow Customers

By utilizing the Threat Lookup Reputation Calculator, security teams can effectively consolidate threat intelligence from multiple vendors, enabling a unified view of observable reputations. Customizing the reputation script allows tailoring threat assessments to your organizational policies and risk thresholds. This facilitates more accurate and actionable security insights, improving incident response and threat management workflows within the ServiceNow Threat Intelligence Security Center.