Threat Lookup Finding Calculators

  • Release version: Australia
  • Updated June 3, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Lookup Finding Calculators

    The Threat Lookup Finding Calculator in ServiceNow enables you to calculate observable findings based on responses from multiple threat intelligence integrations. It allows you to create custom calculators using scripts to identify observable findings or use the provided sample script. This tool helps consolidate and interpret threat data from various third-party vendors to produce a unified observable finding.

    Show full answer Show less

    Key Features

    • Customizable Calculation: Create and modify scripts to determine how observable findings are identified from integration responses.
    • Rollup of Multiple Vendor Results: When multiple vendors provide threat lookup results for the same observable, the system consolidates these into a single overall finding using a defined priority logic:
      • If any vendor marks the observable as Malicious, the overall finding is Malicious.
      • If no Malicious but at least one Suspicious, the overall finding is Suspicious.
      • If all vendors report Clean, the overall finding is Clean.
      • If none are Malicious or Suspicious but one is Unknown, the overall finding is Unknown.
    • Observable Finding Override Modes: Configure how threat lookup results update observable findings through three modes:
      • Default: Always recalculates findings from lookup results, overwriting previous values.
      • Override: Allows manual user overrides for a limited validity period during which system recalculations are suspended.
      • Precedence: Applies a priority order for findings where severity upgrades are immediate but downgrades are delayed based on expiry settings per observable type. The default priority order is Malicious, Suspicious, Unknown, Clean.

    Practical Benefits for ServiceNow Customers

    By using the Threat Lookup Finding Calculator, customers can effectively aggregate and standardize threat intelligence from multiple sources, improving the accuracy and reliability of observable threat assessments. The configurable override modes provide flexibility to balance automated updates with manual control, ensuring findings reflect the most relevant security context over time.

    Threat Lookup Finding Calculator helps you calculate the observable findings based on the responses received.

    You can create a Threat Lookup Finding Calculator for your integration and use a script to determine how you want to identify the various observable findings. The Threat Lookup Finding Calculator includes a sample script that comes with the base system, which you can use to identify the observable findings or you can modify this script according to your requirements.

    For third-party integrations that provide the computed results, the Threat Lookup Finding Calculator maps the results to supported findings in the base system.

    Rollup Threat Lookup Results

    When you have multiple threat lookup results for an observable from the various integration vendors, then the recent threat lookup results from all the vendors are considered, and the overall observable findings are marked as follows:
    Table 1. Rollup Threat Lookup Findings
    Latest Observable Finding Overall Observable Finding
    Malicious If one of the integration vendors reports the observable as Malicious, then the overall observable finding is marked as Malicious.
    Suspicious If none of the integration vendors report the observable as Malicious, one of them reports it as Suspicious, and then the overall observable finding is marked as Suspicious.
    Clean If all the integration vendors report the observable as Clean, then the overall observable finding is marked as Clean.
    Unknown If none of the integration vendors report the observable as Malicious or Suspicious and one of them report it as Unknown, then the overall observable finding is marked as Unknown.

    Observable finding override modes

    You can control how threat lookup results update observable findings by configuring the override mode. Navigate to Threat Intelligence > Administration > Properties and set the Observable finding override mode property to one of the following values:

    • Default — The system always recalculates findings from threat lookup results. Any previous finding value is overwritten.
    • Override — Users can manually override the observable finding for a limited time. The system does not change the finding during the configured validity period.
    • Precedence — Findings follow a defined priority order. Severity upgrades from threat lookup results are applied immediately, while downgrades are deferred until the per-observable-type expiry window elapses. The Precedence expiry field on each observable type record defines how many days a higher-severity finding is retained before the system applies a downgrade. The default value is 0 days.

    When using precedence mode, configure the Observable finding precedence order property to define the priority ranking. The default order is Malicious, Suspicious, Unknown, Clean, where Malicious has the highest priority.