User Guide: TruSTAR for ServiceNow
This document explains how to use the features of the TruSTAR Workflow App for ServiceNow (London and newer versions). The App automates the extraction of Observables from events, queries against various sources, and enrichment from TruSTAR. All known intelligence - including links directly to TruSTAR’s in-depth analysis - is presented in the ServiceNow ticket.
Related Links
Features
You can use the TruSTAR plug-in to:
- Enrich: Quickly provide context to aid in triage and investigation of Security Incidents.
- Manage: Conduct advanced searches for reports and indicators across all internal repositories and external sources in a single query.
- Analyze: Add analyst notes and comments to support ongoing investigation, analysis, and collaboration.
- Detect: Deploy internal and external intelligence to detection tools.
This video is a short demonstration of how TruSTAR works with ServiceNow.
TruStar Integration
Security Operations Integration
- You can create a Security Incident and submit it to TruSTAR.
- You can perform Threat Lookups on Security Incidents.
- You can perform Observable Enrichment on Security Incidents.
Submitting a Security Incident
To create and submit a Security Incident Response (SIR) incident to TruSTAR, you must have this plug-in enabled: ServiceNow Security Incident Response version 4.0.25 or higher.
Use this procedure to create and submit a Security Incident Response (SIR):
- Select Security Incidents on the left menu.
- Select Incidents, then select Show All Incidents.
- Click New.
- Fill in the Short Description and Description on the Security Incident form.
- Click Submit to send the report to TruSTAR.
You can now see the date of the report and a link to TruSTAR Station in the Notes field. Click on the link to view the report on TruSTAR Station.
After the report has been submitted, if you have automatic Threat Lookup and Observable Enrichment configured, the TruSTAR Integration will add observables found in TruSTAR to the Observables table in the Security Incident, with links to more information on TruSTAR Station.
Enriching Observables
The TruSTAR platform is constantly updated with new Observables that can provide enrichment for an existing Security Incident.
To view Associated Indicators:
- Select Show IOC under the Related Links subheading. You now see a list of Observables for the Security Incident.
- Click the Associated Indicators tab.
- Click TruSTAR Indicators_XXXX (**XXXX = security Incident number) to view the updated information.
Using the Security Operations Integration
To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in enabled:
- ServiceNow Threat Intelligence
Performing Threat Lookups
You can use Threat Lookup to determine the priority of an Observable. The lookup returns one of the following values:
- HIGH (considered malicious) - displays a TruSTAR High Priority blue tag
- MEDIUM
- LOW
- NOT FOUND
Before running a manual threat lookup, you need to select the Threat Lookup checkbox on the Security Operations Configuration tab:
- Log into ServiceNow using the Admin role.
- Click Configuration on the left menu.
- In Settings, click the Security Operation Configurations tab.
- Select the Threat Lookup checkbox.
Manual Threat Lookup on a Single Observable
- Move to the Security Incident where you want to run a Threat Lookup.
- Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
- Open the desired Observable. This opens the detail page for that Observable.
- Click Run Threat Lookup.
Manual Threat Lookup on Multiple Observables
- Move to the Security Incident where you want to run a Threat Lookup.
- Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
- Select the checkbox next to each Observable.
- Select Action on selected Rows from the dropdown menu.
- Choose Run Threat Lookup.
Checking Threat Lookup Results
You can find the result of a Threat Lookup by clicking the Threat Lookup Results tab.
To see Threat Lookup results of individual Observables, click the Threat Lookup Results tab inside that Observable.
Performing Observable Enrichment
You can enrich an Observable by collecting more data about that observable from TruSTAR.
Note: Disabling this functionality affects only TruSTAR enrichment. Enrichment from all other security integrations installed on your instance will still work
Before running a manual observable enrichment, you need to check the Observable Enrichment box on the Security Operations Configuration tab:
- Log into ServiceNow using the Admin role.
- Click Configuration on the left menu.
- In Settings, click the Security Operation Configurations tab.
- Select the Observable Enrichment checkbox.
Manual Enrichment on a single Observable
- Move to the Security Incident where you want to run the enrichment.
- Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
- Open the desired Observable. This opens the detail page for that Observable.
- Click Run Observable Enrichment under the Related Links subheading
- On the Selection menu, select TruSTAR and click Submit.
Manual Enrichment on multiple Observables
- Move to the Security Incident where you want to run the enrichment.
- Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
- Select the checkbox next to each Observable.
- Select Action on selected Rows from the dropdown menu.
- Choose Run Observable Enrichment.
- On the Selection menu, select TruSTAR and click Submit.