Cases

Dashboard

Enclaves

Filter and Refine Panel

MITRE ATT&CK Framework

Main Screen

Marketplace

Navigation Bar

Searching

TruSTAR Community Chat

UI Tour (with Links)

Using Notes

Copying a Report

Emailing a Report

Exporting Report Data

Moving a Report

Overview: Reports

Redacting Data from a Report

Reports Graph View

Reports List View

Reports Panel

Submitting a Report

Tagging a Report

Updating a Report

Deleting Indicators

Exporting Indicators

IOC Graph View

IOC List View

Overview: Indicators

Tagging Indicators

Threat Actors

Uploading Indicators

Whitelisting Indicators

Overview: Phishing Triage

Phishing Triage API

Phishing Triage Python SDK

Phishing Workflow in the TruSTAR Web App

Using Phishing Triage with Orchestration Tools

Using Phishing Triage with SIEM Tools

Using Phishing Triage with a TAXII Client

Editing Your Profile

Notifications

User Settings

Okta (SSO)

Ping Identity (SSO)

Automating Forwarding to an Enclave Inbox

Enclave Inbox

Setting up an Enclave Inbox with Proofpoint

Managing Users

Managing the Company Whitelist

Managing the Redaction Library

Setting Up Multi-Factor Authentication (MFA)

Setting up a Service Account

Automated Sharing Between Enclaves

Script: Correlations Between Enclaves

Script: Deleting Reports

Script: Domain-level URL Filtering

Script: Exporting Indicators

Script: Moving Data Between Enclaves

Scripts: Uploading Data

ArcSight: Upload Events to TruSTAR

Azure Sentinel: Import Indicators from TruSTAR

Crowdstrike Falcon: Import Indicators from TruSTAR

Cybereason: Import Indicators from TruSTAR

MISP: Import Reports or Indicators from TruSTAR

Overview: Managed Connectors

Proofpoint: URL Decoder

SecureWorks: Send Indicators to TruSTAR

Splunk Enterprise: Import Indicators from TruSTAR

Splunk Phantom: Enrich Notable Events

Report Correlation Email

Vetting and Tagging Indicators

FAQ: TruSTAR for Resilient

Install: TruSTAR for Resilient

User Guide: TruSTAR for Resilient

FAQ: TruSTAR for Jira

Install: TruSTAR for Jira

User Guide: TruSTAR for Jira

FAQ: TruSTAR for ServiceNow

Install: TruSTAR for ServiceNow

User Guide: TruSTAR for ServiceNow

Creating a Demisto Playbook

Indicator Retrieval in Demisto

Indicator Searches in Demisto

Listing TruSTAR Enclaves in Demisto

Phishing Triage Commands for Demisto

Report Commands in Demisto

Report Searches in Demisto

User Guide: TruSTAR for Demisto

Whitelisting with Demisto

FAQ: TruSTAR for Demisto

Install: TruSTAR for Demisto

Overview: Demisto

FAQ: TruSTAR for Phantom Cyber

Install: TruSTAR for Phantom Cyber

User Guide: TruSTAR for Phantom Cyber

FAQ: TruSTAR for Splunk ES

Install: TruSTAR for Splunk ES

User Guide: TruSTAR for Splunk ES

FAQ: TruSTAR for Splunk v1.0.9

Install: TruSTAR for Splunk v1.0.9

FAQ: TruSTAR for IBM QRadar

Install: TruSTAR for IBM QRadar

User Guide: TruSTAR for IBM QRadar

Anomali ThreatStream

LogRhythm

Palo Alto MineMeld

TAXII Client Basics

TAXII FAQ

TruSTAR TAXII Server

TruSTAR Extension for Chrome

TruSTAR on Slack

Digital Shadows

RiskIQ PassiveTotal

RiskIQ Blacklist Intelligence

Shape Blackfish

SpyCloud

Cisco AMP Threat Grid

Cisco AMP Threat Grid Indicator Query

Crowdstrike Falcon Detect

Crowdstrike Falcon Intelligence

Crowdstrike Falcon Reports

Dragos WorldView

FireEye iSight

IBM X-Force

IBM X-Force IRIS

Intel 471 Adversary Intelligence

Intel 471 Alerts

Intel 471 Malware Intelligence

Recorded Future Hash Intelligence

Recorded Future IP Intelligence

Recorded Future URL Intelligence

Recorded Future Vulnerability Intelligence

VirusTotal

A-ISAC

F-ISAC

FS-ISAC

NCFTA CyFin and TNT

AWS GuardDuty

Alienvault OTX Pulse

Cybersource

Facebook Threat Exchange

Farsight Security

Hybrid Analysis

Joe Sandbox

MISP

TAXII Client

Intel Feeds Source URLs

OSINT Sources Tech Specs

Premium Intel Sources Tech Specs

RSS Open Sources Tech Specs

COVID-19 OSINT Community Enclave

How Intelligence Sources are Updated

Intro to Intelligence Sources

Normalized Indicator Scores

Priority Event Scores

Priority Indicator Scores

Auto-Whitelist

Python SDK

REST API

Redaction Library

API Usage Policy

Applications Integrations FAQ

Clearing browser cookies and caches

Contacting TruSTAR Support

Entity Extraction FAQ

Finding Enclave IDs

Finding Report IDs

Finding Your API Keys

Intelligence Sources FAQ

Observables Supported by TruSTAR

Request to Archive Premium Intel Source

Security FAQ

Uploading Observables FAQ

What is the TruSTAR Community?

Release Notes

Enrich Indicators in TruSTAR

Enrich Reports in TruSTAR

Filter Indicators from TruSTAR

Get Phishing Indicators

Ingest Indicators from TruSTAR

Redact a Report in TruSTAR

Share a Report

Submit Indicators to TruSTAR

Submit Report to TruSTAR

Triage Phishing Submissions

Whitelist Indicators

Case Management Integrations

Overview: Partner Resources

SIEM Integrations

SOAR Integrations

TruSTAR Configuration Requirements

All Categories > Workflow Apps > Case Management > ServiceNow > Install: TruSTAR for ServiceNow

Install: TruSTAR for ServiceNow

Updated 2 months ago by Elvis Hovor

Related Links
Requirements
Installation Options
Installing the App
Configuring the App
Best Practices

This document explains how to install and configure the TruSTAR Workflow App for ServiceNow (London and newer versions).

Time to Install: 15-20 minutes

Requirements

The TruSTAR Workflow App works with ServiceNow London and newer versions.

To submit Security Incident Response (SIR) incidents to TruSTAR, you must have the following plug-ins:

ServiceNow Security Incident Response version 4.0.25 or higher
ServiceNow Threat Core version 4.0.25 or higher

To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in:

ServiceNow Threat Intelligence

Installation Options

The TruSTAR Workflow App for ServiceNow is certified for the London and newer versions only.

To install directly from the ServiceNow store, you must be using London or newer versions.
For all other versions, please follow the Manual Installation process in the FAQ.

Installing the App

The TruSTAR Workflow App is available for download from the ServiceNow app store.

Log into the ServiceNow store with HI credentials.
Search for TruSTAR Integration for ServiceNow.
Select the TruSTAR integration and click Get.
Accept any license terms and select the instance where the integration will be installed.
Log in to the instance where you want to install the application.
Navigate to System Applications > Applications.
Select the Downloads tab.
Locate the TruSTAR Integration, select it, and click Install.

Configuring the App

This section describes how to configure these areas:

User Roles
Core Application Parameters
Threat Lookup Parameters
Observable Enrichment Parameters

User Roles in London

In the London version, you need to add Custom Role settings to the Application Role:

Log into ServiceNow as Admin and then go to User Administration on the left menu.
Select Roles.
Select the role x_tstar_trustar.TruSTARAppAdmin.
Select Edit in the Contains Roles table.
Add these roles to x_tstar_trustar.TruSTARAppAdmin:
1. itil
2. sn_si.analyst
3. sn_si.read
4. sn_sec_core.read_dictionary
5. x_tstar_trustar.TruSTARAppAdmin

You now see that the x_tstar_trustar.TruSTARAppAdmin role now has System Roles assigned to it.

User Roles in Madrid and Newer

For Madrid and newer versions, you need to create a new user and then add roles to that user.

Log into ServiceNow as Admin and then go to User Administration on the left menu.
Select Users.
Create a new user ID, for example trustar_admin.

Open the user you just created and click Edit.
Assign the following roles to that new user:

Itil
sn_si.analyst
sn_si.read
Sn_sec_core.read_dictionary
x_tstar_trustar.TruSTARAppAdmin

Click Update in the top right corner to finish the user configuration.

Setting Core Parameters

This section explains how to set up the core parameters for the TruSTAR App. There are five areas you can configure: the main area at the top and four tabs near the bottom. After you finish editing the parameters, you must click the Update Configuration button to save your changes.

Log into ServiceNow using the Admin role.
Select Configuration on the left menu.
Select Settings. You now see the Settings displayed.

In the main area on the right side, enter the parameters as described in the table below.

Parameter	Required	Description
Endpoint	Yes	The TruSTAR Web App URL from which data is collected by executing API calls. Set this parameter to https://station.trustar.co
Access Key	Yes	Used to make API calls. Finding your API Key
Secret Key	Yes	Used when making API calls. Finding your API Secret Key
Report Submission Enclave IDs	Yes	The Enclave(s) to import data from. To import data from multiple enclaves, separate each enclave ID with a comma and no spaces: Retrieving your Enclave IDs
Indicator Search Enclave IDs	No	The Enclave ID(s) where you want to search for Indicators. If left blank, the search will include indicators from all Enclaves you have access to. To specify multiple enclaves, separate each enclave ID with a comma and no spaces:
Enrichment Retention Period (days)	No	Number of days after which the Indicator can be updated by TruSTAR enrichment.

On the Auto Submission tab, you can edit these parameters:

Parameter

Required

Description

Security Incident

Automatically submits a Report to TruSTAR Station when a Security Incident is created and returns information from TruSTAR about that Report, including Threat Lookup and Observable Enrichment.

Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in.

On the Configure Report Body tab, you can edit these parameters:

Parameter

Required

Description

Share Close Code and Close Notes

These notes are added when Reports are submitted to TruSTAR or when the Incident or Security Incident is closed.

Security Incident Fields

Configure the fields to include in the body of a Security Incident when the Report is sent to TruSTAR. Best practice is to include the Short Description and Description categories.

Note: This parameter is only available If you have the ServiceNow Security Incident Response plug-in.

On the Exclude Categories tab, you can choose categories to exclude from a report to TruSTAR.

On the Security Operation Configuration tab, you can edit two parameters.

This tab only available if you have activated the ServiceNow Threat Intelligence plug-in.

Parameter

Required

Description

Threat Lookup

Enables Threat Lookup operations, either automatically or manually. Threat lookups can include files, hash values, URLs, and IP addresses.

Best practice is to select this checkbox only if you have not selected auto-submission of security incident.

Observable Enrichment

Enables you to perform Observable Enrichment operations, either automatically or manually.

Best practice is to select this checkbox as an alternative if auto submission of security incident is not selected.

When you have finished configuring the parameters, click Update Configuration.

Best Practices

To automatically fetch enrichment from TruSTAR, check the Security Incident parameter on the Auto Submission tab.

If you choose to not use the Auto Submission parameters, you can perform threat lookups and observable enrichment by checking the Threat Lookup and Observable Enrichment parameters on the Security Operations tab or by manually performing submission and enrichment actions as explained in the User Guide.

How Did We Do?

(opens in a new tab)

Install: TruSTAR for ServiceNow

Related Links

Requirements

Installation Options

Installing the App

Configuring the App

User Roles in London

User Roles in Madrid and Newer

Setting Core Parameters

Best Practices

How Did We Do?

Related Articles FAQ: TruSTAR for ServiceNow User Guide: TruSTAR for ServiceNow Install: TruSTAR for Jira

Contact

Related Articles

FAQ: TruSTAR for ServiceNow

User Guide: TruSTAR for ServiceNow

Install: TruSTAR for Jira