FAQ: TruSTAR for ServiceNow

Updated 6 months ago by Elvis Hovor

This document covers how to manually install the TruSTAR Workflow App for ServiceNow (London and newer versions), update or uninstall the App, and includes sections on troubleshooting and known issues.

Manual Installation

To manually install the TruSTAR Workflow App for ServiceNow, first download the XML bundle here. This XML file supports all available TruSTAR actions from ServiceNow.

Follow these steps to install the XML file into ServiceNow:

  1. In ServiceNow, go to System Update Sets on the left menu. 
  2. Click Retrieved Update Sets
  3. Go to Related Links and Click Import Update Set from XML.
  4. Select the XML update set you want and click Upload.
  5. Once the upload has finished, click on the TruSTAR upload set and open.
  6. Click Preview Update Set at the bottom of the right area to see details of the set.
  7. Click Commit Update Set to complete the process. After the commit has finished, you must reload the form to see TruSTAR menu items.

Uninstalling the App

  1. Log in to ServiceNow as Admin.
  2. Go to System Applications on the left menu.
  3. Select Applications.
  4. From the Application Manager, select TruSTAR - Integration.
  5. Click Uninstall on the next screen then click on the confirmation dialog to proceed with the uninstall.


Q: Does the TruSTAR App ingest work notes or secure notes?

A: No. If you want to submit Indicators or other data to TruSTAR, this information can be inserted in the Description or Short Description fields. The same applies for attachments in Reports; Indicators can be added to either of the Description fields.

Q: I cannot find any TruSTAR enrichment in my work notes?

A: Verify that you are submitting the Security incident to your enclave in TruSTAR. Also, check that the filter for worknotes is not turned on. If this filter is selected, it prevents all worknotes from showing, including any enrichment from TruSTAR.

Known Issues

Apply Button does not always save settings.

When configuring the App settings, the Apply button does not always save and apply settings. To ensure that your changes are saved and applied, use the Save button, not the Apply button. 

Auto-enrichment runs Observable Enrichment on the same Observable multiple times

This issue is encountered when the user submits a Security Incident and Observable Enrichment is run on it. Observable Enrichment is run multiple times on the same Observable. 

TruSTAR Admin role cannot perform some actions

You may not be able to perform actions such as Send to TruSTAR or Whitelist Observable in the TruSTAR App. To resolve this issue, check that the itil and sn_si.read roles are assigned to the TruSTAR App Admin Role. For Madrid users, assign these roles to the Custom User directly.

This issue is encountered you try to submit the Integration selection when running Observable Enrichment. A popup titled “Leave Site?” saying “Changes you made may not be saved.” appears after clicking the Submit button. This issue is a known platform limitation. Simply click on Leave and your settings will not be affected. You can use the application normally. 

Please note that the TruSTAR App currently supports the SIR plug-in and not ITSM

How Did We Do?