Threat Lookup Finding Calculators

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Threat Lookup Finding Calculators

    The Threat Lookup Finding Calculator in ServiceNow helps customers calculate observable findings using responses from threat intelligence integrations. It enables you to create custom calculators with scripts to identify observable findings based on your integration data. A sample script is provided out-of-the-box, which you can modify to suit your specific requirements. For third-party integrations that supply computed results, the calculator maps these results to supported findings within the ServiceNow base system.

    Show full answer Show less

    Rollup of Threat Lookup Results

    When multiple threat lookup results exist for the same observable from different vendors, the system evaluates the most recent results collectively and determines an overall observable finding based on the following logic:

    • Malicious: If any vendor marks the observable as Malicious, the overall finding is Malicious.
    • Suspicious: If no vendors report Malicious, but at least one reports Suspicious, the overall finding is Suspicious.
    • Clean: If all vendors report Clean, the overall finding is Clean.
    • Unknown: If none report Malicious or Suspicious and at least one reports Unknown, the overall finding is Unknown.

    Observable Finding Override Modes

    You can control how threat lookup results update observable findings by configuring the Observable finding override mode property under Threat Intelligence > Administration > Properties. The available modes are:

    • Default: The system always recalculates and overwrites observable findings based on the latest threat lookup results.
    • Override: Users can manually override observable findings temporarily. During the configured validity period, the system does not update the finding automatically.
    • Precedence: Findings follow a priority order where severity upgrades from lookup results are applied immediately, but downgrades are deferred until a per-observable-type expiry period elapses. The expiry time is configurable per observable type, with a default of 0 days.

    When using Precedence mode, you must configure the Observable finding precedence order property, which defines the priority ranking of findings. The default order is Malicious, Suspicious, Unknown, Clean, with Malicious having the highest priority.

    Threat Lookup Finding Calculator helps you calculate the observable findings based on the responses received.

    You can create a Threat Lookup Finding Calculator for your integration and use a script to determine how you want to identify the various observable findings. The Threat Lookup Finding Calculator includes a sample script that comes with the base system, which you can use to identify the observable findings or you can modify this script according to your requirements.

    For third-party integrations that provide the computed results, the Threat Lookup Finding Calculator maps the results to supported findings in the base system.

    Rollup Threat Lookup Results

    When you have multiple threat lookup results for an observable from the various integration vendors, then the recent threat lookup results from all the vendors are considered, and the overall observable findings are marked as follows:
    Table 1. Rollup Threat Lookup Findings
    Latest Observable Finding Overall Observable Finding
    Malicious If one of the integration vendors reports the observable as Malicious, then the overall observable finding is marked as Malicious.
    Suspicious If none of the integration vendors report the observable as Malicious, one of them reports it as Suspicious, and then the overall observable finding is marked as Suspicious.
    Clean If all the integration vendors report the observable as Clean, then the overall observable finding is marked as Clean.
    Unknown If none of the integration vendors report the observable as Malicious or Suspicious and one of them report it as Unknown, then the overall observable finding is marked as Unknown.

    Observable finding override modes

    You can control how threat lookup results update observable findings by configuring the override mode. Navigate to Threat Intelligence > Administration > Properties and set the Observable finding override mode property to one of the following values:

    • Default — The system always recalculates findings from threat lookup results. Any previous finding value is overwritten.
    • Override — Users can manually override the observable finding for a limited time. The system does not change the finding during the configured validity period.
    • Precedence — Findings follow a defined priority order. Severity upgrades from threat lookup results are applied immediately, while downgrades are deferred until the per-observable-type expiry window elapses. The Precedence expiry field on each observable type record defines how many days a higher-severity finding is retained before the system applies a downgrade. The default value is 0 days.

    When using precedence mode, configure the Observable finding precedence order property to define the priority ranking. The default order is Malicious, Suspicious, Unknown, Clean, where Malicious has the highest priority.