Adding an IOC to a Feed (SOAR Action in ServiceNow)

This SOAR action adds the Indicator of Compromise (IOC) to a specific feed.

This SOAR action can be run from an alert.
You must configure the Watchlist and report details in the Actions section of the Configuration Profile. See Configuring a ServiceNow Configuration Profile and Configure ServiceNow Actions (Optional).
Add the IOC to the feed to impact the alerts that are generated for the Watchlist type.
If the Watchlist is correctly configured in the Configuration Profile, a popup window displays. In this window, select the Field and provide the IOC values to add to the feed. The report is generated or updated to add the IOC.

Add IOC to Feed window

Note: If the Actions section in the associated Configuration Profile is not configured, a message indicates that you need to configure the action.