ServiceNow v1.1.0 User Guide

Updated 2 weeks ago by Elvis Hovor

This document explains how to use the features of the TruSTAR workflow app for ServiceNow v1.1.0 (Madrid and London releases). The plug-in automates the extraction of Observables from events, queries against various sources, and enrichment from TruSTAR. All known intelligence - including links directly to TruSTAR’s in-depth analysis - is presented in the ServiceNow ticket.

You can use the TruSTAR plug-in to:

  • Enrich: Quickly provide context to aid in triage and investigation of incidents.
  • Manage: Conduct advanced searches for reports and indicators across all internal repositories and external sources in a single query.
  • Analyze: Add analyst notes and comments to support ongoing investigation, analysis, and collaboration.
  • Detect: Deploy internal and external intelligence to detection tools.

This video is a short demonstration of how TruSTAR works with ServiceNow.

TruStar Integrations

The TruSTAR integration offers two different versions with different capabilities, based on your specific needs:

Standard Integration

  • You can create an incident in ServiceNow and submit it to TruSTAR.
  • TruSTAR returns basic information about the incident into the ServiceNow report. 
  • You can update Observable Information.

Security Operations Integration

  • All of the above PLUS
  • You can create a Security Incident and submit it to TruSTAR.
  • You can perform Threat Lookups on Security Incidents.
  • You can perform Observable Enrichment on Security Incidents.

Creating and Submitting an Incident to TruSTAR

Both levels of the TruSTAR plug-in enable you to create and submit an incident to TruSTAR. To submit a Security incident, you must have ServiceNow Security Incident Response enabled.

This section describes the process of creating an incident or security incident.

  1. Select Security Incidents on the left menu.
  2. Select Incidents, then select Show All Incidents
  1. Click New.
  2. Fill in the Description field on the Incident form.
  3. Click Submit to send the report to TruSTAR. 

You can now see the date of the report and a link to TruSTAR Station in the Notes field. You can click on the link to view the report on TruSTAR Station.

Creating and Submitting a Security Incident Response to TruSTAR

To create and submit a Security Incident Response (SIR) incident to TruSTAR, you must have this plug-in enabled: ServiceNow Security Incident Response version 4.0.25 or higher

Use this procedure to create and submit a Security Incident Response (SIR):

  1. Select Security Incidents on the left menu.
  2. Select Incidents, then select Show All Incidents
  1. Click New.
  2. Fill in the Short Description and Description on the Incident form.
  3. Click Submit to send the report to TruSTAR. 

You can now see the date of the report and a link to TruSTAR Station in the Notes field. Click on the link to view the report on TruSTAR Station.

After the report has been submitted, if you have automatic Threat Lookup and Observable Enrichment configured, the TruSTAR Integration will add observables found in TruSTAR to the Observables table in the incident, with links to more information on TruSTAR Station. 

There is a maximum of 100 items that can be added to the Observables table for each incident.

Updating ServiceNow IOC List with TruSTAR Enrichment

The TruSTAR platform is constantly updated with new Observables that can provide enrichment for an existing Security Incident. 

To view Associated Indicators:

  1. Select Show IOC under the Related Links subheading. You now see a list of Observables for the Security Incident.
  2. Click the Associated Indicators tab.
  1. Click TruSTAR Indicators_XXXX (**XXXX = security Incident number) to view the updated information. 

Using the Security Operations Integration

To use the TruSTAR Threat Lookup and Observable Enrichment features, you must have this plug-in enabled:

  • ServiceNow Threat Intelligence

Performing Threat Lookups

You can use Threat Lookup to determine the priority of an Observable. The lookup returns one of the following values:

  • HIGH (considered malicious) - displays a TruSTAR High Priority blue tag
  • MEDIUM
  • LOW
  • NOT FOUND
This functionality is only available if you have the ServiceNow Threat Intelligence plug-in installed. 

Before running a manual threat lookup, you need to select the Threat Lookup checkbox on the Security Operations Configuration tab:

  1. Log into ServiceNow using the Admin role.
  2. Click Configuration on the left menu.
  3. In Settings, click the Security Operation Configurations tab.
  4. Select the Threat Lookup checkbox.

To run a threat lookup on a single Observable
  1. Move to the Security Incident where you want to run a Threat Lookup.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Open the desired Observable. This opens the detail page for that Observable.
  4. Click Run Threat Lookup.
To run a manual Threat Lookup on multiple Observables
  1. Move to the Security Incident where you want to run a Threat Lookup.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Select the checkbox next to each Observable.
  4. Select Action on selected Rows from the dropdown menu.
  5. Choose Run Threat Lookup.

Checking Threat Lookup Results

You can find the result of a Threat Lookup by clicking the Threat Lookup Results tab. 

To see Threat Lookup results of individual Observables, click the Threat Lookup Results tab inside that Observable.

Performing Observable Enrichment

You can enrich an Observable by collecting more data about that observable from TruSTAR. 

Note: Disabling this functionality affects only TruSTAR enrichment. Enrichment from all other security integrations installed on your instance will still work

Before running a manual observable enrichment, you need to check the Observable Enrichment box on the Security Operations Configuration tab:

  1. Log into ServiceNow using the Admin role.
  2. Click Configuration on the left menu.
  3. In Settings, click the Security Operation Configurations tab.
  4. Select the Observable Enrichment checkbox.
To run a manual Observable Enrichment on a single Observable
  1. Move to the Security Incident where you want to run the enrichment.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Open the desired Observable. This opens the detail page for that Observable.
  4. Click Run Observable Enrichment under the Related Links subheading
  5. On the Selection menu, select TruSTAR and click Submit.
To run a manual Observable Enrichment on multiple items
  1. Move to the Security Incident where you want to run the enrichment.
  2. Click Show IoC. This displays all TruSTAR extracted Indicators as Observables.
  3. Select the checkbox next to each Observable.
  4. Select Action on selected Rows from the dropdown menu.
  5. Choose Run Observable Enrichment.
  6. On the Selection menu, select TruSTAR and click Submit.

How Did We Do?