Install: TruSTAR for ServiceNow

Updated 2 months ago by Elvis Hovor

This document explains how to install and configure the TruSTAR Workflow App for ServiceNow (London and newer versions). 

Time to Install: 15-20 minutes

Requirements

The TruSTAR Workflow App works with ServiceNow London and newer versions.

To submit Security Incident Response (SIR) incidents to TruSTAR, you must have the following plug-ins: 

  • ServiceNow Security Incident Response version 4.0.25 or higher
  • ServiceNow Threat Core version 4.0.25 or higher

To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in:

  • ServiceNow Threat Intelligence

Installation Options

The TruSTAR Workflow App for ServiceNow is certified for the London and newer versions only. 

Installing the App

The TruSTAR Workflow App is available for download from the ServiceNow app store. 

  1. Log into the ServiceNow store with HI credentials.
  2. Search for TruSTAR Integration for ServiceNow
  3. Select the TruSTAR integration and click Get
  4. Accept any license terms and select the instance where the integration will be installed.
  5. Log in to the instance where you want to install the application.
  6. Navigate to System Applications > Applications.
  7. Select the Downloads tab.
  8. Locate the TruSTAR Integration, select it, and click Install. 

Configuring the App

This section describes how to configure these areas:

  • User Roles
  • Core Application Parameters
  • Threat Lookup Parameters
  • Observable Enrichment Parameters

User Roles in London 

In the London version, you need to add Custom Role settings to the Application Role:

  1. Log into ServiceNow as Admin and then go to User Administration on the left menu.
  2. Select Roles.
  3. Select the role x_tstar_trustar.TruSTARAppAdmin.
  4. Select Edit in the Contains Roles table.
  5. Add these roles to x_tstar_trustar.TruSTARAppAdmin:
    1. itil
    2. sn_si.analyst
    3. sn_si.read
    4. sn_sec_core.read_dictionary
    5. x_tstar_trustar.TruSTARAppAdmin

You now see that the x_tstar_trustar.TruSTARAppAdmin role now has System Roles assigned to it.

ServiceNow_Install_Figure1

User Roles in Madrid and Newer

For Madrid and newer versions, you need to create a new user and then add roles to that user. 

  1. Log into ServiceNow as Admin and then go to User Administration on the left menu.
  2. Select Users.
  3. Create a new user ID, for example trustar_admin.
ServiceNow_Install_Figure2
  1. Open the user you just created and click Edit.
    ServiceNow_Install_Figure3
  2. Assign the following roles to that new user:
  • Itil
  • sn_si.analyst
  • sn_si.read
  • Sn_sec_core.read_dictionary
  • x_tstar_trustar.TruSTARAppAdmin
ServiceNow_Install_Figure4
  1. Click Update in the top right corner to finish the user configuration.

Setting Core Parameters 

This section explains how to set up the core parameters for the TruSTAR App. There are five areas you can configure: the main area at the top and four tabs near the bottom. After you finish editing the parameters, you must click the Update Configuration button to save your changes. 

  1. Log into ServiceNow using the Admin role.
  2. Select Configuration on the left menu.
  3. Select Settings. You now see the Settings displayed. 
ServiceNow_Install_Figure5
  1. In the main area on the right side, enter the parameters as described in the table below. 

Parameter

Required

Description

Endpoint

Yes

The TruSTAR Web App URL from which data is collected by executing API calls. Set this parameter to https://station.trustar.co 

Access Key

Yes

Used to make API calls. Finding your API Key

Secret Key

Yes

Used when making API calls. Finding your API Secret Key

Report Submission Enclave IDs

Yes

The Enclave(s) to import data from. To import data from multiple enclaves, separate each enclave ID with a comma and no spaces:

Retrieving your Enclave IDs

Indicator Search Enclave IDs

No

The Enclave ID(s) where you want to search for Indicators. If left blank, the search will include indicators from all Enclaves you have access to. To specify multiple enclaves, separate each enclave ID with a comma and no spaces:

Enrichment Retention Period (days)

No

Number of days after which the Indicator can be updated by TruSTAR enrichment.

  1. On the Auto Submission tab, you can edit these parameters: 
ServiceNow_Install_Figure6

Parameter

Required

Description

Security Incident

No

Automatically submits a Report to TruSTAR Station when a Security Incident is created and returns information from TruSTAR about that Report, including Threat Lookup and Observable Enrichment.

Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in. 

  1. On the Configure Report Body tab, you can edit these parameters: 
ServiceNow_Install_Figure7

Parameter

Required

Description

Share Close Code and Close Notes

No

These notes are added when Reports are submitted to TruSTAR or when the Incident or Security Incident is closed. 

Security Incident Fields

No

Configure the fields to include in the body of a Security Incident when the Report is sent to TruSTAR. Best practice is to include the Short Description and Description categories.

Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in. 

  1. On the Exclude Categories tab, you can choose categories to exclude from a report to TruSTAR.
ServiceNow_Install_Figure8

  1. On the Security Operation Configuration tab, you can edit two parameters.
This tab only available if you have activated the ServiceNow Threat Intelligence plug-in.
ServiceNow_Install_Figure9

Parameter

Required

Description

Threat Lookup

No

Enables Threat Lookup operations, either automatically or manually. Threat lookups can include files, hash values, URLs, and IP addresses. 

Best practice is to select this checkbox only if you have not selected auto-submission of security incident.

Observable Enrichment

No

Enables you to perform Observable Enrichment operations, either automatically or manually. 

Best practice is to select this checkbox as an alternative if auto submission of security incident is not selected.

  1. When you have finished configuring the parameters, click Update Configuration.

Best Practices

To automatically fetch enrichment from TruSTAR, check the Security Incident parameter on the Auto Submission tab. 

If you choose to not use the Auto Submission parameters, you can perform threat lookups and observable enrichment by checking the Threat Lookup and Observable Enrichment parameters on the Security Operations tab or by manually performing submission and enrichment actions as explained in the User Guide.


How Did We Do?