TISC Library Objects form view

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TISC Library Objects form view

    The Threat Intelligence Security Center (TISC) Library Objects form view provides a comprehensive interface to manage and analyze Security Data Objects (SDOs). This view allows ServiceNow customers to explore detailed information, relationships, and enrichment of threat intelligence data within their environment.

    Show full answer Show less

    Key Features

    • Details tab: View or edit SDOs directly in form view for detailed management.
    • Source Records tab: Displays aggregated source records, automatically created from feeds or manually added, contributing to the SDO.
    • Related Records tab: Lists all records associated with the SDO, enabling better context and correlation.
    • Relationship Graph tab: Provides a visual map of related threat intelligence objects, aiding in understanding complex relationships.
    • Internal Intelligence tab: Shows internal intelligence records linked to the objects for internal analysis.
    • Enrichment Results tab: Displays data from enrichment integrations related to the objects, enhancing threat context.
    • Form banner: A read-only summary showing key fields such as Type, Confidence, Threat Score, Number of Sightings, Status, and Expiration Time, giving at-a-glance insight.
    • Form banner UI actions: Security control options specifically for observables, allowing adding to watch list, deny list, or allow list to control threat responses.
    • Form UI actions: Functional buttons including Add to Case, Run Observable Enrichment, Save, and Delete, supporting efficient workflow management.
    • Right Contextual menu: Quick access to attachments, notes, and insights related to the object, facilitating comprehensive record keeping and analysis. Attachments pane is visible by default but can be toggled via preferences.
    • Search capabilities: Two search options enable users to find objects within the Threat Intelligence library and search source records across multiple sources with flexible criteria, including wildcard searches and keyword modification without leaving the results page.

    Practical Benefits for ServiceNow Customers

    • Enables detailed examination and management of threat intelligence data to support security operations.
    • Facilitates quick navigation between related threat objects and their associated data, improving investigation efficiency.
    • Supports integration of enrichment results to provide richer threat context for decision-making.
    • Allows direct control over observables through watch, deny, and allow lists to enhance threat response strategies.
    • Improves usability with visual relationship maps and contextual menus for attachments and insights.
    • Streamlines searching through large threat intelligence datasets with flexible and user-friendly search tools.

    The Threat Intelligence Security Center objects home page consists of the following features.

    Use or navigate to these following sections and learn more about each SDOs in detail.

    TISC Objects home page view
    Table 1. TISC library objects form view
    Order Menu/Tab Description
    1 Details tab Use this section to view or edit the SDOs in the form view.
    2 Source Records tab Source records contribute to an aggregated record as displayed in the form view. These source records are auto created from feeds or manually created by the user.
    3 Related Records tab Lists all the related records associated with the SDO.
    4 Relationship Graph tab Visual representation of the related objects.
    5 Internal Intelligence tab Lists the internal intelligence records of the associated objects.
    6 Enrichment Results tab Lists the enrichment integrations associated with the objects.
    7 Form banner This is read-only section, which contains the key fields such as Type, Confidence, Threat score, Number of Sightings, Status and Expiration time.
    8 Form banner UI actions These are the security control lists that are available for you to click if they are needed to be added to the allow list, removed from the allow list (Deny list), or add it to the watch list based on the observables. Click to:
    • add to watch list
    • add to deny list
    • add to allow list
    Note:
    The Form actions are applicable only to Observables.
    9 Form UI actions The available form UI actions are:
    1. Add to Case: Add the objects to the case.
    2. Run Observable Enrichment: Run the enrichments to the selected objects.
    3. Save: Save the record.
    4. Delete: Delete the record.
    10 Right Contextual menu Provides easy access to the quick controls such as attachments, notes, and so on, based on the tasks associated with that object. This option is available across the remaining two tabs for the threat analyst to access whenever required.
    The contextual menu provides easy navigation to:
    1. Attachments: Attach any file that are related to the objects.
      Note:
      Whenever you either create a new observable, indicators, or any objects or view the existing objects, the Attachments pane is by default displayed on the respective form view. You can either click the Attachments icon on the right-contextual menu or go to Preferences > Workspaces and disable the Show the sidebar. For more information, see Configure Next Experience Workspace preferences.
    2. Insights: Add any additional information related to the observables or indicators which are associated with that object.
    NA Search in Navigator Use this search function to search for various objects within the Threat Intel (TI) library. For example, you can search for all observables records within the TI library module.
    NA Search in Threat Intel Library Use this search function to search for the source records across multiple sources based on your search criteria. The results will be displayed in a separate Search Results tab. For example, for an IP address 104.227.137.35, if you need to search the records, by entering 104.* then searching will narrowed down the records and displays the records that contains the IP address starting with 104 in the separate Search Results tab.
    • You can also modify the existing search keywords in the Search Criteria on the same Search Results page without going back to the Threat Library page.
    • Similarly, you can also search based on the name and description of any particular record.
    • Once the records are filtered and listed, you can click on the list view which will take you to the respective record in a new tab.