1. Introducing TruSTAR

2. Product Architecture

3. Data Management

4. Data Processing

4.1 Data Processing: Collect

4.2 Data Processing: Prepare

4.3 Data Processing: Prioritize

4.4 Data Processing: Connect

5. Capabilities

5.1 Capabilities: Governance

5.2 Capabilities: Intel Workflows

5.3 Capabilities: Search

5.4 Capabilities: Scoring

5.5 Capabilities: Analytics

6. Interfaces

6.1 Interfaces: REST API

6.2 Interfaces: Integrations

6.3 Interfaces: Web App

7. Use Cases

7.1 Use Cases: Detect

7.2 Use Cases: Triage

7.3 Use Cases: Investigate

7.4 Use Cases: Disseminate

TruSTAR Ontology

Case Management Integrations with REST API v1.3

Detection Integrations with REST API v1.3

SOAR Integrations with REST API v1.3

Overview: Partner Resources

Requirements for Integrations

Building an Observable-Query Intelligence Source Integration

Python SDK

REST API v1.3

REST API v2.0

Cyjax

Digital Shadows

RiskIQ Blacklist

RiskIQ PassiveTotal

Shape Blackfish

SpyCloud

Cisco AMP Threat Grid Indicator Query

Crowdstrike Falcon Detection

Crowdstrike Falcon Intelligence

Crowdstrike Falcon Reports

AbuseIPDB

Alienvault OTX

Alienvault OTX Pulse

Bambenek C2 Domain Feed

Bambenek C2 IP Feed

Bambenek DGA Feed

Dragos WorldView

Facebook Threat Exchange

Farsight Security

Flashpoint

Hybrid Analysis

IBM X-Force

IBM X-Force Threat Intelligence

Intel 471 Adversary Intelligence

Intel 471 Alerts

Intel 471 Malware Intelligence

Mandiant iSight

NetLab 360 DGA Feeds

Recorded Future Hash Intelligence

Recorded Future IP Intelligence

Recorded Future URL Intelligence

Recorded Future Vulnerability Intelligence

Shodan

Symantec Threat Intelligence

VirusTotal

urlscan

A-ISAC

COVID-19 OSINT Community Enclave

F-ISAC

FS-ISAC

NCFTA CyFin

NCFTA TNT

AWS GuardDuty

Cybersource

MISP

TAXII Client

Cisco AMP Threat Grid Analysis

Joe Sandbox

How Intelligence Sources are Updated

Intelligence Sources FAQ

Open Source Intelligence Tech Specs

Overview: Intelligence Sources

Install: TruSTAR for FIR

User Guide: TruSTAR for FIR

FAQ: TruSTAR for Resilient

Install: TruSTAR for Resilient

User Guide: TruSTAR for Resilient

FAQ: TruSTAR for Jira

Install: TruSTAR for Jira

User Guide: TruSTAR for Jira

FAQ: TruSTAR for ServiceNow

Install: TruSTAR for ServiceNow

User Guide: TruSTAR for ServiceNow

Install: TruSTAR for ServiceNow V2

User Guide: TruSTAR for ServiceNow V2

Overview: Case Management Apps

FAQ: TruSTAR Unified App for Splunk Enterprise & Enterprise Security

Install: TruSTAR Unified App for Splunk Enterprise & Enterprise Security

User Guide: TruSTAR Unified App for Splunk Enterprise & Enterprise Security

FAQ: TruSTAR for IBM QRadar

Install: TruSTAR for IBM QRadar

User Guide: TruSTAR for IBM QRadar

Overview: Detection Workflow Apps

Creating a Demisto Playbook

Indicator Retrieval in Demisto

Indicator Searches in Demisto

Listing TruSTAR Enclaves in Demisto

Phishing Triage Commands for Demisto

Report Commands in Demisto

Report Searches in Demisto

User Guide: TruSTAR for Demisto

Whitelisting with Demisto

FAQ: TruSTAR for Demisto

Install: TruSTAR for Demisto

Overview: Demisto

Anomali ThreatStream

LogRhythm

Palo Alto MineMeld

TAXII Client Basics

TAXII FAQ

TruSTAR TAXII Server

FAQ: TruSTAR for MISP (v2)

Install: TruSTAR for MISP (v2)

User Guide: TruSTAR for MISP (v2)

TruSTAR Extension for Chrome

TruSTAR on Slack

Workflow Apps FAQ

Automated Sharing Between Enclaves

Script: Correlations Between Enclaves

Script: Deleting Reports

Script: Domain-level URL Filtering

Script: Exporting Indicators

Script: Moving Data Between Enclaves

Scripts: Uploading Data

ArcSight: Upload Events to TruSTAR

Azure Sentinel: Import Indicators from TruSTAR

Crowdstrike Falcon: Import Indicators from TruSTAR

Cybereason: Import Indicators from TruSTAR

MISP: Import Reports or Indicators from TruSTAR

Overview: Managed Connectors

Proofpoint: URL Decoder

SecureWorks: Send Indicators to TruSTAR

Splunk Enterprise: Import Indicators from TruSTAR

Splunk Phantom: Enrich Notable Events

Windows Defender: Import Indicators from TruSTAR

Report Correlation Email

Vetting and Tagging Indicators

1. Start Here

2. Main Window

3. Filter and Refine Panel

4. Intelligence Reports

5. Indicators

6. Marketplace

7. TruSTAR Community Chat

8. User Settings

Copying a Report

Deleting a Report

Emailing a Report

Exporting Report Data

Moving a Report

Overview: Intelligence Reports

Redacting Data from a Report

Reports Graph View

Reports List View

Reports Panel

Submitting a Report

Tagging a Report

Updating a Report

Deleting Indicators

Exporting Indicators

IOC List View

Observable Graph View

Overview: Indicators

Tagging Indicators

Threat Actors

Uploading Indicators

Whitelisting Indicators

Overview: Phishing Triage

Phishing Triage API

Phishing Triage Python SDK

Phishing Workflow in the TruSTAR Web App

Using Phishing Triage with Detection Tools

Using Phishing Triage with Orchestration Tools

Using Phishing Triage with a TAXII Client

Editing Your Profile

Notifications

User Settings Overview

Okta (SSO)

Ping Identity (SSO)

Salesforce (SSO)

Automating Forwarding to an Enclave Inbox

Enclave Inbox

Setting up an Enclave Inbox with Proofpoint

Managing Users

Managing the Company Whitelist

Managing the Redaction Library

Setting Up Multi-Factor Authentication (MFA)

Setting up a Service Account

Creating an Indicator Prioritization Intel Workflow

Deleting an Intel Workflow

Editing an Intel Workflow

FAQ: Intel Workflows

Overview: Indicator Prioritization Intel Workflow

Viewing a Data Set in Postman

Viewing an Intel Workflow

Working with Safelist Libraries

MITRE ATT&CK Framework

Navigation Bar

Searching

Using Notes

Using the Filter and Refine Panel

Overview: TruSTAR Web App

Normalized Indicator Scores

Priority Event Scores

Priority Indicator Scores

Auto-Whitelist

Enclaves

Redaction Library

API Usage Policy

Contacting Support

Finding Your API Keys

Finding a Report ID

Finding an Enclave Email Handle

Finding an Enclave ID

Observable Collection FAQ

Observables Supported by TruSTAR

Security FAQ

TruSTAR Glossary

TruSTAR Videos

Uploading Observables FAQ

All Categories > Workflow Apps > Case Management > ServiceNow > Install: TruSTAR for ServiceNow

Install: TruSTAR for ServiceNow

Updated 3 months ago by TruSTAR

Related Links
Requirements
Installation Options
Installing the App
Configuring the App
Best Practices

Please migrate to the TruSTAR for ServiceNow v2 App for more features and better integration with ServiceNow.

This document explains how to install and configure the TruSTAR Workflow App for ServiceNow (London and newer versions).

Time to Install: 15-20 minutes

Requirements

The TruSTAR Workflow App works with ServiceNow London and newer versions.

To submit Security Incident Response (SIR) incidents to TruSTAR, you must have the following plug-ins installed:

ServiceNow Security Incident Response version 4.0.25 or higher
ServiceNow Threat Core version 4.0.25 or higher

To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in:

ServiceNow Threat Intelligence

Installation Options

The TruSTAR Workflow App for ServiceNow is certified for the London and newer versions only.

To install directly from the ServiceNow store, you must be using London or newer versions. For all other versions, please follow the Manual Installation process in the FAQ.

Installing the App

The TruSTAR Workflow App is available for download from the ServiceNow app store.

Log into the ServiceNow store with HI credentials.
Search for TruSTAR Integration for ServiceNow.
Select the TruSTAR integration and click Get.
Accept any license terms and select the instance where the integration will be installed.
Log in to the instance where you want to install the application.
Navigate to System Applications > Applications.
Select the Downloads tab.
Locate the TruSTAR Integration, select it, and click Install.

Configuring the App

This section describes how to configure these areas:

User Roles
Core Application Parameters
Threat Lookup Parameters
Observable Enrichment Parameters

User Roles in London

In the London version, you need to add Custom Role settings to the Application Role:

Log into ServiceNow as Admin and then go to User Administration on the left menu.
Select Roles.
Select the role x_tstar_trustar.TruSTARAppAdmin.
Select Edit in the Contains Roles table.
Add these roles to x_tstar_trustar.TruSTARAppAdmin:
1. itil
2. sn_si.analyst
3. sn_si.read
4. sn_sec_core.read_dictionary
5. x_tstar_trustar.TruSTARAppAdmin

You now see that the x_tstar_trustar.TruSTARAppAdmin role now has System Roles assigned to it.

User Roles in Madrid and Newer

For Madrid and newer versions, you need to create a new user and then add roles to that user.

Log into ServiceNow as Admin and then go to User Administration on the left menu.
Select Users.
Create a new user ID, for example trustar_admin.

Open the user you just created and click Edit.
Assign the following roles to that new user:

Itil
sn_si.analyst
sn_si.read
Sn_sec_core.read_dictionary
x_tstar_trustar.TruSTARAppAdmin

Click Update in the top right corner to finish the user configuration.

Setting Core Parameters

This section explains how to set up the core parameters for the TruSTAR App. There are five areas you can configure: the main area at the top and four tabs near the bottom. After you finish editing the parameters, you must click the Update Configuration button to save your changes.

Log into ServiceNow using the Admin role.
Select Configuration on the left menu.
Select Settings. You now see the Settings displayed.

In the main area on the right side, enter the parameters as described in the table below.

Parameter	Required	Description
Endpoint	Yes	The TruSTAR Web App URL from which data is collected by executing API calls. Set this parameter to https://station.trustar.co
Access Key	Yes	Used to make API calls. Finding your API Key
Secret Key	Yes	Used when making API calls. Finding your API Secret Key
Report Submission Enclave IDs	Yes	The Enclave(s) to import data from. To import data from multiple enclaves, separate each enclave ID with a comma and no spaces: Retrieving your Enclave IDs
Indicator Search Enclave IDs	No	The Enclave ID(s) where you want to search for Indicators. If left blank, the search will include indicators from all Enclaves you have access to. To specify multiple enclaves, separate each enclave ID with a comma and no spaces:
Enrichment Retention Period (days)	No	Number of days after which the Indicator can be updated by TruSTAR enrichment.

On the Auto Submission tab, you can edit these parameters:

Parameter

Required

Description

Security Incident

Automatically submits a Report to TruSTAR Station when a Security Incident is created and returns information from TruSTAR about that Report, including Threat Lookup and Observable Enrichment.

Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in.

On the Configure Report Body tab, you can edit these parameters:

Parameter

Required

Description

Share Close Code and Close Notes

These notes are added when Reports are submitted to TruSTAR or when the Incident or Security Incident is closed.

Security Incident Fields

Configure the fields to include in the body of a Security Incident when the Report is sent to TruSTAR. Best practice is to include the Short Description and Description categories.

Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in.

On the Exclude Categories tab, you can choose categories to exclude from a report to TruSTAR.

On the Security Operation Configuration tab, you can edit two parameters.

This tab only available if you have activated the ServiceNow Threat Intelligence plug-in.

Parameter

Required

Description

Threat Lookup

Enables Threat Lookup operations, either automatically or manually. Threat lookups can include files, hash values, URLs, and IP addresses.

Best practice is to select this checkbox only if you have not selected auto-submission of security incident.

Observable Enrichment

Enables you to perform Observable Enrichment operations, either automatically or manually.

Best practice is to select this checkbox as an alternative if auto submission of security incident is not selected.

When you have finished configuring the parameters, click Update Configuration.

Best Practices

To automatically fetch enrichment from TruSTAR, check the Security Incident parameter on the Auto Submission tab.

If you choose to not use the Auto Submission parameters, you can perform threat lookups and observable enrichment by checking the Threat Lookup and Observable Enrichment parameters on the Security Operations tab or by manually performing submission and enrichment actions as explained in the User Guide.

How Did We Do?

(opens in a new tab)

Install: TruSTAR for ServiceNow

Related Links

Requirements

Installation Options

Installing the App

Configuring the App

User Roles in London

User Roles in Madrid and Newer

Setting Core Parameters

Best Practices

How Did We Do?

Related Articles Install: TruSTAR for ServiceNow V2 FAQ: TruSTAR for ServiceNow User Guide: TruSTAR for ServiceNow

Contact

Related Articles

Install: TruSTAR for ServiceNow V2

FAQ: TruSTAR for ServiceNow

User Guide: TruSTAR for ServiceNow