TruSTAR App for ServiceNow v1.1.0 Install
This document explains how to install and configure the TruSTAR plug-in for ServiceNow v1.1.0 (London and Newer releases). This process usually takes about 15-20 minutes, including configuration.
Related Links
Terms
- Station: The TruSTAR threat intelligence management SAAS platform.
- Enclaves: Data repositories in the Station platform. Each data source imported by Station resides in its own enclave. For more information on Enclaves, see "What is an enclave."
- Observable: Artifacts found on a network or operating system that indicate a likely intrusion. Typical observables are virus signatures, IP addresses, MD5 hashes of malware files, URLs, or domain names.
- IOC: Indicator of Compromise. Another term for Observables.
Requirements
The TruSTAR plug-in works with ServiceNow versions London, Orlando, Madrid, and New York
You need to have the following ServiceNow components activated to submit incidents to TruSTAR Station:
- ServiceNow Incident Management version 1.0.0 or higher
- ServiceNow Threat Core version 4.0.25 or higher
To submit Security Incident Response (SIR) incidents to TruSTAR, you must have this plug-in:
- ServiceNow Security Incident Response version 4.0.25 or higher.
To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in:
- ServiceNow Threat Intelligence
Related Documents
Installation Options
The TruSTAR plugin for ServiceNow is certified for the Madrid and London versions only.
- To install directly from the ServiceNow store, you must be using either the Madrid or London version of the product.
- For all other versions, please follow the Manual Installation process in the FAQ.
Installing the TruSTAR Integration
The TruSTAR integration is available in the ServiceNow app store for download.
- Log into the ServiceNow store with HI credentials.
- Search for TruSTAR Integration for ServiceNow.
- Select the TruSTAR integration and click Get.
- Accept any license terms and select the instance where the integration will be installed.
- Log in to the instance where you want to install the application.
- Navigate to System Applications > Applications.
- Select the Downloads tab.
- Locate the TruSTAR Integration, select it, and click Install.
Configuring the TruSTAR Integration
This section describes how to configure these areas:
- User Roles
- Core Application Parameters
- Threat Lookup Parameters
- Observable Enrichment Parameters
User Roles in London
In the London version, you need to add Custom Role settings to the Application Role:
- Log into ServiceNow as Admin and then go to User Administration on the left menu.
- Select Roles.
- Select the role x_tstar_trustar.TruSTARAppAdmin.
- Select Edit in the Contains Roles table.
- Add these roles to x_tstar_trustar.TruSTARAppAdmin:
- itil
- sn_si.analyst
- sn_si.read
- sn_sec_core.read_dictionary
- x_tstar_trustar.TruSTARAppAdmin
You now see that the x_tstar_trustar.TruSTARAppAdmin role now has System Roles assigned to it.
User Roles in Madrid and Newer
For Madrid and newer versions, you need to create a new user and then add roles to that user.
- Log into ServiceNow as Admin and then go to User Administration on the left menu.
- Select Users.
- Create a new user ID, for example trustar_admin.
- Open the user you just created and click Edit.
- Assign the following roles to that new user:
- Itil
- sn_si.analyst
- sn_si.read
- Sn_sec_core.read_dictionary
- x_tstar_trustar.TruSTARAppAdmin
- Click Update in the top right corner to finish the user configuration.
Setting Core Parameters
This section explains how to set up the core parameters for the TruSTAR plug-in. There are five areas you can configure: the main area at the top and four tabs near the bottom. After you finish editing the parameters, you must click the Update Configuration button to save your changes.
- Log into ServiceNow using the Admin role.
- Select Configuration on the left menu.
- Select Settings. You now see the Settings displayed.
- In the main area on the right side, enter the parameters as described in the table below.
Parameter | Required | Description |
Endpoint | Yes | The TruSTAR station URL from which data is collected by executing API calls. Set this parameter to https://station.trustar.co |
Access Key | Yes | Used to make API calls. You can find this Key in the TruSTAR Station web interface under Settings-> API. How to find your API Key |
Secret Key | Yes | Used when making API calls. Available under Settings-> API on TruSTAR Station. How to find your API Secret Key |
Report Submission Enclave IDs | Yes | The enclave(s) to import data from. Specify the Enclave ID (alphanumeric id next to enclave name in TruSTAR Station).To import data from multiple enclaves, separate each enclave ID with a comma and no spaces:  |
Indicator Search Enclave IDs | No | The Enclave ID(s) that you want the Application to search indicators from. If left blank, the search will include indicators from all Enclaves you have access to on TruSTAR.To specify multiple enclaves, separate each enclave ID with a comma and no spaces: |
Enrichment Retention Period (days) | No | Number of days after which the Observable can be updated by TruSTAR enrichment. |
- On the Auto Submission tab, you can edit these parameters:
Parameter | Required | Description |
Incident | No | When checked, automatically submits a report to TruSTAR Station when an Incident is created and returns information from Station. |
Security Incident | No | When checked, automatically submits a report to TruSTAR Station when a Security Incident is created and returns information from Station, including Threat Lookup and Observable Enrichment.Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in. |
- On the Configure Report Body tab, you can edit these parameters:
Parameter | Required | Description |
Share Close Code and Close Notes | No | When checked, these notes are added when reports are submitted to TruSTAR or when the Incident or Security Incident is closed. |
Security Incident Fields | No | Configure the fields to include in the body of a Security Incident when the report is sent to TruSTAR.Best practice is to include the Short Description and Description categories.Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in. |
Incident Fields | No | Configure the fields to include in the body of an Incident when the report is sent to TruSTAR. Best practice is to include the Description category. |
- On the Exclude Categories tab, you can choose categories to exclude from a report to TruSTAR.
- On the Security Operation Configuration tab, you can edit two parameters.
Parameter | Required | Description |
Threat Lookup | No | When checked, enables Threat Lookup operations, either automatically or manually. Threat lookups can include files, hash values, URLs, and IP addresses. Best practice is to select this checkbox only if you have not selected auto-submission of incidents or security incident. |
Observable Enrichment | No | When checked, enables you to perform Observable Enrichment operations, either automatically or manually. Best practice is to select this checkbox as an alternative if auto submission of incident or security incident is not selected. |
- When you have finished configuring the parameters, click Update Configuration.
Best Practices
To automatically fetch enrichment from TruSTAR, check the Incident or Security Incident parameter on the Auto Submission tab.
If you choose to not use the Auto Submission parameters, you can perform threat lookups and observable enrichment by checking the Threat Lookup and Observable Enrichment parameters on the Security Operations tab or by manually performing submission and enrichment actions as explained in the User Guide.
