Install: TruSTAR for ServiceNow
This document explains how to install and configure the TruSTAR Workflow App for ServiceNow (London and newer versions).
Time to Install: 15-20 minutes
Related Links
Requirements
The TruSTAR Workflow App works with ServiceNow London and newer versions.
To submit Security Incident Response (SIR) incidents to TruSTAR, you must have the following plug-ins installed:
- ServiceNow Security Incident Response version 4.0.25 or higher
- ServiceNow Threat Core version 4.0.25 or higher
To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in:
- ServiceNow Threat Intelligence
Installation Options
The TruSTAR Workflow App for ServiceNow is certified for the London and newer versions only.
To install directly from the ServiceNow store, you must be using London or newer versions. For all other versions, please follow the Manual Installation process in the FAQ.
Installing the App
The TruSTAR Workflow App is available for download from the ServiceNow app store.
- Log into the ServiceNow store with HI credentials.
- Search for TruSTAR Integration for ServiceNow.
- Select the TruSTAR integration and click Get.
- Accept any license terms and select the instance where the integration will be installed.
- Log in to the instance where you want to install the application.
- Navigate to System Applications > Applications.
- Select the Downloads tab.
- Locate the TruSTAR Integration, select it, and click Install.
Configuring the App
This section describes how to configure these areas:
- User Roles
- Core Application Parameters
- Threat Lookup Parameters
- Observable Enrichment Parameters
User Roles in London
In the London version, you need to add Custom Role settings to the Application Role:
- Log into ServiceNow as Admin and then go to User Administration on the left menu.
- Select Roles.
- Select the role x_tstar_trustar.TruSTARAppAdmin.
- Select Edit in the Contains Roles table.
- Add these roles to x_tstar_trustar.TruSTARAppAdmin:
- itil
- sn_si.analyst
- sn_si.read
- sn_sec_core.read_dictionary
- x_tstar_trustar.TruSTARAppAdmin
You now see that the x_tstar_trustar.TruSTARAppAdmin role now has System Roles assigned to it.
User Roles in Madrid and Newer
For Madrid and newer versions, you need to create a new user and then add roles to that user.
- Log into ServiceNow as Admin and then go to User Administration on the left menu.
- Select Users.
- Create a new user ID, for example trustar_admin.
- Open the user you just created and click Edit.
- Assign the following roles to that new user:
- Itil
- sn_si.analyst
- sn_si.read
- Sn_sec_core.read_dictionary
- x_tstar_trustar.TruSTARAppAdmin
- Click Update in the top right corner to finish the user configuration.
Setting Core Parameters
This section explains how to set up the core parameters for the TruSTAR App. There are five areas you can configure: the main area at the top and four tabs near the bottom. After you finish editing the parameters, you must click the Update Configuration button to save your changes.
- Log into ServiceNow using the Admin role.
- Select Configuration on the left menu.
- Select Settings. You now see the Settings displayed.
- In the main area on the right side, enter the parameters as described in the table below.
Parameter | Required | Description |
Endpoint | Yes | The TruSTAR Web App URL from which data is collected by executing API calls. Set this parameter to https://station.trustar.co |
Access Key | Yes | Used to make API calls. Finding your API Key |
Secret Key | Yes | Used when making API calls. Finding your API Secret Key |
Report Submission Enclave IDs | Yes | The Enclave(s) to import data from. To import data from multiple enclaves, separate each enclave ID with a comma and no spaces: |
Indicator Search Enclave IDs | No | The Enclave ID(s) where you want to search for Indicators. If left blank, the search will include indicators from all Enclaves you have access to. To specify multiple enclaves, separate each enclave ID with a comma and no spaces: |
Enrichment Retention Period (days) | No | Number of days after which the Indicator can be updated by TruSTAR enrichment. |
- On the Auto Submission tab, you can edit these parameters:
Parameter | Required | Description |
Security Incident | No | Automatically submits a Report to TruSTAR Station when a Security Incident is created and returns information from TruSTAR about that Report, including Threat Lookup and Observable Enrichment. Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in. |
- On the Configure Report Body tab, you can edit these parameters:
Parameter | Required | Description |
Share Close Code and Close Notes | No | These notes are added when Reports are submitted to TruSTAR or when the Incident or Security Incident is closed. |
Security Incident Fields | No | Configure the fields to include in the body of a Security Incident when the Report is sent to TruSTAR. Best practice is to include the Short Description and Description categories. Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in. |
- On the Exclude Categories tab, you can choose categories to exclude from a report to TruSTAR.
- On the Security Operation Configuration tab, you can edit two parameters.
Parameter | Required | Description |
Threat Lookup | No | Enables Threat Lookup operations, either automatically or manually. Threat lookups can include files, hash values, URLs, and IP addresses. Best practice is to select this checkbox only if you have not selected auto-submission of security incident. |
Observable Enrichment | No | Enables you to perform Observable Enrichment operations, either automatically or manually. Best practice is to select this checkbox as an alternative if auto submission of security incident is not selected. |
- When you have finished configuring the parameters, click Update Configuration.
Best Practices
To automatically fetch enrichment from TruSTAR, check the Security Incident parameter on the Auto Submission tab.
If you choose to not use the Auto Submission parameters, you can perform threat lookups and observable enrichment by checking the Threat Lookup and Observable Enrichment parameters on the Security Operations tab or by manually performing submission and enrichment actions as explained in the User Guide.