Install: TruSTAR for ServiceNow V2
This document explains how to install and configure the TruSTAR Workflow App for ServiceNow (Paris version).
Time to Install: 15-20 minutes
Related Links
Requirements
- ServiceNow version: Paris
- ServiceNow Security Incident Response" module ver 10.0.4 or greater.
Installation Options
The TruSTAR-ServiceNow module is certified for the Paris version only.
- To install directly from the ServiceNow store, you must be using the Paris version.
Installing the TruSTAR App
This procedure downloads the TruSTAR App from the ServiceNow app store.
- Log into the ServiceNow store with HI credentials.
- Search for TruSTAR Integration for ServiceNow.
- Select the TruSTAR integration and click Get.
- Accept any license terms and select the instance where the integration will be installed.
- Log in to the instance where you want to install the application.
- Navigate to System Applications > Applications.
- Select the Downloads tab.
- Locate the TruSTAR Integration, select it, and click Install.
Setting Up User Roles
TruSTAR recommends creating at least two separate roles:
- An Admin role that can edit the TruSTAR application configuration table and perform all other actions offered in the TruSTAR App. In ServiceNow, this is the x_tstar_trustarv2.TruSTARAdmin role.
- A User role that can perform all actions except editing the TruSTAR application configuration table. In ServiceNow, this is the x_tstar_trustarv2.trustar_user role.
You can also set up these roles:
- Security Incident Response: Enables the user to adminster and interact with the SIR table and tickets listed in that table. The sn_si.analyst role provides the functionality you need for the TruSTAR App, but you can also select other roles. ServiceNow documentation for these roles.
- Threat Intelligence: Enables the user to adminster and interact with the Observables table that stores Observables and enrichment data. The sn_ti.admin role provides the functionality that you need for the TruSTAR App, but you can also choose different roles with more fine-grained control. ServiceNow documentation for these roles.
Configuring the TruSTAR App
This section explains how to configure these settings for the TruSTAR App:
- Global Settings
- SIR Submission Settings
- Observable Enrichment Settings
After you finish editing the parameters, you must click the Update Configuration button to save your changes.
- Log into ServiceNow using the Admin role.
- Select TruSTAR on the left menu. If you don't see it listed, use the Search box to locate it.
- Select Configuration, then Settings on the left menu.
- Click New on the top menu bar to begin the configuration. There are three sections to the configuration, as explained in the three tables below:
- Global Settings
- SIR Submission Settings
- Observable Enrichment Settlings
- When you have completed all three sections, click Save to save your changes.
Global Settings
You must configure these settings to use the TruSTAR App.
Setting | Required | Description |
API Endpoint | Yes | The TruSTAR Web App URL. This parameter is automatically set to https://api.trustar.co |
TruSTAR API Key | Yes | Used to make API calls. Finding your API Key |
TruSTAR API Secret | Yes | Used when making API calls. Finding your API Secret Key |
Submission Settings
These settings on the SIR Submission tab are used when submitting ServiceNow reports to the TruSTAR platform.
Setting | Required | Description |
Submission Enclave ID(s) | Yes | The Enclave(s) to import data from. To import data from multiple enclaves, separate each Enclave ID with a comma and no spaces. You must specify at least one Enclave ID. |
Auto Submit SIR | No | Select this to automatically submit a new SIR Ticket as a report to TruSTAR. |
SIR Fields to Submit | No | The fields from an SIR ticket that will be included in the report sent to TruSTAR. Click the icon to open a text field that displays the selected SIR fields. You can add or remove fields by clicking the Add/Remove Multiple button on the right of the text field. The default is to include the Short Description and Description fields. |
Exclude Categories | No | The incident categories that will not be submitted to TruSTAR. Click the icon to edit the category list. The default is that no categories are excluded. |
Add Observables to Observables Table | No | Select this to copy the Observables in the Description section of the SIR ticket and add them to the Observables table in that SIR. |
Create Observable Enrichment Work Note Summary | No | Select this to provide a comprehensive list of Indicators with Normalized and Intel Source scoring and links to each Indicator in TruSTAR. This will appear in the Work Notes section of the ticket. |
Share to TruSTAR Settings
These settings on the SIR Submission tab define what information is shared with TruSTAR.
Setting | Required | Description |
Share SIR Reports to Enclaves | No | Select this to enable a user to share reports and enrichment data to shared Enclaves in TruSTAR. |
Sharing Enclave ID(s) | No | A comma-separated list of Enclave IDs to share reports and indicators to in TruSTAR. |
Report Redaction | No | Select this to redact a TruSTAR Report before sharing it into other Enclaves. The redaction process uses the redaction list your organization has stored in TruSTAR. |
Share SIR Indicators to Enclaves | No | Select this to send Indicators from a SIR to a shared Enclave. |
Enrichment Settings
These settings on the Observable Enrichment tab control how Observables are handled between ServiceNow and TruSTAR.
Setting | Required | Description |
Enable Observable Auto Enrichment | No | Select this to automatically enrich Observables with all available data and metadata from TruSTAR. All data returned from TruSTAR is shown in the Threat Lookup table in the SIR. |
Enrichment Enclave IDs | Yes | The Enclave(s) to use for enriching Observables. To use multiple enclaves, separate each enclave ID with a comma and no spaces. You must specify at least one Enclave ID. |
Enrichment Expiration | No | Select this to enable the Enrichment Period (below). |
Expiration Period (# Days) | No | Number of days before Indicator information in the ServiceNow Threat Lookup Table is updated with any new information from TruSTAR. The default is 7 days. |
After configuration, the TruSTAR App is ready for use.