TruSTAR App for ServiceNow v1.1.0 FAQ

Updated 17 hours ago by Elvis Hovor

This document covers how to manually install the TruSTAR workflow app for ServiceNow v1.1.0 (London and Newer releases), update or uninstall the plug-in, and includes sections on troubleshooting and known issues.

Manual Installation

To manually install the TruSTAR plug-in for ServiceNow, first download the XML bundle here. This XML file contains all the actions required to support TruSTAR actions from ServiceNow.

Follow these steps to install the XML file into ServiceNow:

  1. In ServiceNow, go to System Update Sets on the left menu. 
  2. Click Retrieved Update Sets
  3. Go to Related Links and Click Import Update Set from XML.
  4. Select the XML update set you want and click Upload.
  5. Once the upload has finished, click on the TruSTAR upload set and open.
  6. Click Preview Update Set at the bottom of the right area to see details of the set.
  7. Click Commit Update Set to complete the process. After the commit has finished, you must reload the form to see TruSTAR menu items.

Uninstalling the TruSTAR Plug-In

  1. Log in to ServiceNow as Admin.
  2. Go to System Applications on the left menu.
  3. Select Applications.
  4. From the Application Manager, select TruSTAR - Integration.
  5. Click Uninstall on the next screen then click on the confirmation dialog to proceed with the uninstall.


Q: Does the plug-in ingest work notes or secure notes?

A: No. If you want to submit Observables or other data to TruSTAR, this information can be inserted in the Description or Short Description fields. The same applies for attachments in reports - Observables need to be in the description.

Q: I cannot find any TruSTAR enrichment in my work notes?

A: Verify that you are submitting the Incident or Security incident to your enclave in TruSTAR. Also, check that the filter for worknotes is not turned on. If this filter is selected, it prevents all worknotes from showing, including any enrichment from TruSTAR.

Known Issues

Incident reports transfers

Incident Reports are being transferred into Station when they are closed even when the user/administrator has deselected the checkbox that controls Incident Reports transfer to Station. The transfer takes place specifically when the Incident Report ticket is closed, and not until then. The workaround is to disable the business rules that allow Incident Reports to transfer in to Station.

Apply Button does not always save settings.

When configuring the plugin’s settings, the Apply button does not always save and apply settings. For the user/administrator to be sure that her/his settings modifications are saved & applied, she/he should use the Save button, not the Apply button. 

Auto-enrichment runs Observable Enrichment on the same Observable multiple times

This issue is encountered when the user submits a Security Incident and Observable Enrichment is run on it. Observable Enrichment is run multiple times on the same Observable. 

TruSTAR Admin role cannot perform actions like “Send to TruSTAR” and “Whitelist Observable”

This issue will be encountered if the TruSTAR App Admin role does not have itil and roles assigned to it. To resolve this issue, make sure that the two roles mentioned above are assigned to the TruSTAR App Admin Role. For Madrid users, assign these roles to the Custom User directly.

This issue is encountered you try to submit the Integration selection when running Observable Enrichment. A popup titled “Leave Site?” saying “Changes you made may not be saved.” appears after clicking the Submit button. This issue is a known platform limitation. Simply click on Leave and your settings will not be affected. You can use the application normally. 

How Did We Do?