User Guide: TruSTAR for ServiceNow

Updated 2 months ago by Elvis Hovor

This document explains how to use the features of the TruSTAR Workflow App for ServiceNow (London and newer versions). The App automates the extraction of Observables from events, queries against various sources, and enrichment from TruSTAR. All known intelligence - including links directly to TruSTAR’s in-depth analysis - is presented in the ServiceNow ticket.

Features

You can use the TruSTAR plug-in to:

  • Enrich: Quickly provide context to aid in triage and investigation of Security Incidents.
  • Manage: Conduct advanced searches for reports and indicators across all internal repositories and external sources in a single query.
  • Analyze: Add analyst notes and comments to support ongoing investigation, analysis, and collaboration.
  • Detect: Deploy internal and external intelligence to detection tools.

This video is a short demonstration of how TruSTAR works with ServiceNow.

TruStar Integration

Security Operations Integration

  • You can create a Security Incident and submit it to TruSTAR.
  • You can perform Threat Lookups on Security Incidents.
  • You can perform Observable Enrichment on Security Incidents.

Submitting a Security Incident Response to TruSTAR

To create and submit a Security Incident Response (SIR) incident to TruSTAR, you must have this plug-in enabled: ServiceNow Security Incident Response version 4.0.25 or higher

Use this procedure to create and submit a Security Incident Response (SIR):

  1. Select Security Incidents on the left menu.
  2. Select Incidents, then select Show All Incidents
ServiceNow_UserGuide_Figure3
  1. Click New.
  2. Fill in the Short Description and Description on the Security Incident form.
  3. Click Submit to send the report to TruSTAR. 

You can now see the date of the report and a link to TruSTAR Station in the Notes field. Click on the link to view the report on TruSTAR Station.

ServiceNow_UserGuide_Figure4

After the report has been submitted, if you have automatic Threat Lookup and Observable Enrichment configured, the TruSTAR Integration will add observables found in TruSTAR to the Observables table in the Security Incident, with links to more information on TruSTAR Station. 

ServiceNow_UserGuide_Figure5

There is a maximum of 100 items that can be added to the Observables table for each Security Incident.

Updating ServiceNow Indicator List with TruSTAR Enrichment

The TruSTAR platform is constantly updated with new Observables that can provide enrichment for an existing Security Incident. 

To view Associated Indicators:

  1. Select Show IOC under the Related Links subheading. You now see a list of Observables for the Security Incident.
  2. Click the Associated Indicators tab.
ServiceNow_UserGuide_Figure6
  1. Click TruSTAR Indicators_XXXX (**XXXX = security Incident number) to view the updated information. 
ServiceNow_UserGuide_Figure7

Using the Security Operations Integration

To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in enabled:

  • ServiceNow Threat Intelligence

Performing Threat Lookups

You can use Threat Lookup to determine the priority of an Observable. The lookup returns one of the following values:

  • HIGH (considered malicious) - displays a TruSTAR High Priority blue tag
  • MEDIUM
  • LOW
  • NOT FOUND
This functionality is only available if you have the ServiceNow Threat Intelligence plug-in installed. 

Before running a manual threat lookup, you need to select the Threat Lookup checkbox on the Security Operations Configuration tab:

  1. Log into ServiceNow using the Admin role.
  2. Click Configuration on the left menu.
  3. In Settings, click the Security Operation Configurations tab.
  4. Select the Threat Lookup checkbox.
ServiceNow_UserGuide_Figure8

To run a threat lookup on a single Observable
  1. Move to the Security Incident where you want to run a Threat Lookup.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Open the desired Observable. This opens the detail page for that Observable.
  4. Click Run Threat Lookup.
To run a manual Threat Lookup on multiple Observables
  1. Move to the Security Incident where you want to run a Threat Lookup.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Select the checkbox next to each Observable.
  4. Select Action on selected Rows from the dropdown menu.
  5. Choose Run Threat Lookup.

Checking Threat Lookup Results

You can find the result of a Threat Lookup by clicking the Threat Lookup Results tab. 

ServiceNow_UserGuide_Figure9

To see Threat Lookup results of individual Observables, click the Threat Lookup Results tab inside that Observable.

Performing Observable Enrichment

You can enrich an Observable by collecting more data about that observable from TruSTAR. 

Note: Disabling this functionality affects only TruSTAR enrichment. Enrichment from all other security integrations installed on your instance will still work

Before running a manual observable enrichment, you need to check the Observable Enrichment box on the Security Operations Configuration tab:

  1. Log into ServiceNow using the Admin role.
  2. Click Configuration on the left menu.
  3. In Settings, click the Security Operation Configurations tab.
  4. Select the Observable Enrichment checkbox.
ServiceNow_UserGuide_Figure10
To run a manual Observable Enrichment on a single Observable
  1. Move to the Security Incident where you want to run the enrichment.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Open the desired Observable. This opens the detail page for that Observable.
  4. Click Run Observable Enrichment under the Related Links subheading
  5. On the Selection menu, select TruSTAR and click Submit.
To run a manual Observable Enrichment on multiple items
  1. Move to the Security Incident where you want to run the enrichment.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Select the checkbox next to each Observable.
  4. Select Action on selected Rows from the dropdown menu.
  5. Choose Run Observable Enrichment.
  6. On the Selection menu, select TruSTAR and click Submit.


How Did We Do?