Managing the Threat Lookup Reputation Calculator

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Managing the Threat Lookup Reputation Calculator

    The Threat Lookup Reputation Calculator allows you to calculate observable findings based on responses from threat lookup vendors. You can create a calculator tailored to your integration needs and utilize a script to identify different observable findings. A sample script is provided with the base system, which can be modified as necessary.

    Show full answer Show less

    Key Features

    • Rollup Threat Lookup Results: This feature consolidates multiple threat lookup results into an overall observable finding based on the most recent responses from integration vendors. The findings are categorized as Malicious, Suspicious, Clean, or Unknown.
    • View Threat Lookup Reputation Calculators: Administrators can view existing calculators to understand how the reputation of observables is calculated.
    • Create Threat Lookup Reputation Calculator: Only one active calculator per vendor is allowed, enabling tailored threat detection.

    Key Outcomes

    By utilizing the Threat Lookup Reputation Calculator, ServiceNow customers can effectively manage and assess threat data from multiple sources. This tool streamlines the identification process of observable findings, enhancing threat management capabilities and allowing for informed decision-making based on comprehensive threat intelligence.

    You can use the Threat Lookup Finding Calculator to calculate the observable findings based on the responses received from threat lookup vendor.

    You can create a Threat Lookup Finding Calculator for your integration and use a script to determine how you want to identify the various observable findings. The Threat Lookup Finding Calculator includes a sample script that comes with the base system, which you can use to identify the observable findings or you can modify this script according to your requirements.

    For third-party integrations that provide the computed results, the Threat Lookup Finding Calculator maps the results to supported findings in the base system.

    Rollup Threat Lookup Results

    When you have multiple threat lookup results for an observable from the various integration vendors, then the recent threat lookup results from all the vendors are considered, and the overall observable findings are marked as follows:
    Table 1. Rollup Threat Lookup Findings
    Latest Observable Finding Overall Observable Finding
    Malicious If one of the integration vendors reports the observable as Malicious, then the overall observable finding is marked as Malicious.
    Suspicious If none of the integration vendors report the observable as Malicious, one of them reports it as Suspicious, and then the overall observable finding is marked as Suspicious.
    Clean If all the integration vendors report the observable as Clean, then the overall observable finding is marked as Clean.
    Unknown If none of the integration vendors report the observable as Malicious or Suspicious and one of them report it as Unknown, then the overall observable finding is marked as Unknown.

    View Threat Lookup Reputation Calculators

    You can view the Threat Lookup Finding Calculator to determine how reputation of observable is calculated based on response from specific threat lookup vendor.

    Role required: sn_sec_tisc.admin

    To view the Threat Lookup Reputation Calculator, perform the following steps:
    1. Navigate to Workspaces > Threat Intelligence Security Center > Administration.
    2. Select the Threat Lookup Reputation Calculator section.

      You can view the list of Threat Lookup Reputation Calculators.

    3. Click on the required Threat Lookup Reputation Calculator to view the details of the calculator.

      View Threat Lookup Reputation Calculators

    Create Threat Lookup Reputation Calculator

    Role required: sn_sec_tisc.admin
    Note:
    Only one threat lookup calculator can be active at any point of time per Threat lookup vendor.
    To create a Threat Lookup Reputation Calculator, perform the following steps:
    1. Navigate to Workspaces > Threat Intelligence Security Center > Administration.
    2. Select the Threat Lookup Reputation Calculator section.

      You can view the list of Threat Lookup Reputation Calculators.

    3. To create a Threat Lookup Reputation Calculator, click New.

      Create aThreat Lookup Reputation Calculator

    4. On the form, fill the fields.
      Table 2. Create a Threat Lookup Reputation Calculator
      Field Description
      Name Name for the Threat Lookup Reputation Calculator.
      Active Threat Lookup calculation runs only if Active option is selected.
      Threat Lookup Vendor Name of the Threat Lookup vendor. For example, CrowdStrike Falcon Intelligence.
      Reputation Script Script editor to determine how you want to identify the various observable findings. Every threat lookup integration comes with a base script for calculating threat lookup reputation.
    5. Click Save.