This article provides a description of the ServiceNow Plugin built for TruSTAR. This plugin allows users to utilize context of TruSTAR’s IOCs and incidents within ServiceNow workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.
The following bundles are required for successful install of the TruSTAR app.
This update set XML file contains all the actions required to support TruSTAR actions from ServiceNow.
The following Plugins need to be Activated for TruSTAR integration to work
Service Now plugin Security Incident Response (more info here)
Service Now plugin Threat Core (included in most cases if Incident Response is active)
Service Now plugin Security Incident Analytics
Service Now plugin Threat Intelligence (more info here)
- Navigate to System Update Sets->Retrieved Update Sets
- Go to Related Links and Click on “Import Update Set from XML”
- Select XML update set provided in deliverables and click Upload.
- Once Upload is finished click TruSTAR upload set and open.
- Click on “Preview Update Set” button.
- Click on “Commit Update Set” button.
- After successful Installation please reload form (Refresh)
- Go to Navigation Menu and type TruSTAR. We can see TruSTAR Menu.
This section describes steps to configure TruSTAR Integration. We need to setup TruSTAR Endpoint, API Key, and Secret Key etc.
- Go to Navigation Menu and enter TruSTAR
- Click on Settings Menu option
- Enter TruSTAR API Endpoint Base URL (i.e. https://station.trustar.co)
- Enter API Key - this is available here https://station.trustar.co/settings/api
- Enter API Secret - this is available here https://station.trustar.co/settings/api
- Enter Enclave Id. Enclave id is available here https://station.trustar.co/settings/api
- Click on Submit.
User Role Setup
- This section describes how to setup the user access permissions that is needed to fully configure and use the TruSTAR integration.
- You need access to two roles in ServiceNow to access TruSTAR menus.
- x_117227_trustar.user (Access TruSTAR menus)
- admin (Access Settings menu)
- Log in as admin user to ServiceNow instance
- Navigate to User Administration->Users
- Select user -->"Roles" tab
- Select Edit next to Roles
- Assign role "x_117227_trustar.user" and "admin" and Save
This describes the process of upgrading the TruSTAR plugin and application in ServiceNow. The old update set and application needs to be removed from ServiceNow and updated to the newer version.
Remove Update Set
- Navigate to System Update Sets -> Retrieved Update Sets
- Select TruSTAR Update set
- Select Delete from the Actions on selected rows dropdown menu
- Navigate to System Applications -> Applications
- Select TruSTAR → Delete
- Type/Select “delete” in confirmation dialog.
- Follow steps for installing updated plugin Install TruSTAR Integration
Incident Enrichment Workflow
Once we create security incident the TruSTAR integration will trigger Submit Report event to TruSTAR. This report will be submitted to the enclave(s) you have identified in your configuration.
Below image shows submitted report security incident work note detail. It contains deep link to the TruSTAR station. Once you click on this link it take you to the case in TruSTAR.
Once a security incident is successfully submitted to TruSTAR the work notes section will show the count of correlated TruSTAR reports for IOCs in that case.
Below image shows correlated report work note details shown in security incident. It shows correlated report count found in TruSTAR.
Once a security incident is successfully submitted to TruSTAR the work notes section will show correlated TruSTAR IOCs.
Below image shows correlated indicator work note details shown in security incident. It shows correlated indicators with deep link to TruSTAR station.
Updating with new TruSTAR IOCs
The TruSTAR platform is constantly updated with new IOCs, which could provide enrichment for an existing ServiceNow security incident. This integration updates correlated indicators found in TruSTAR in Associated Indicators tab for created incident.
Below are steps to see Associated Indicators:
- Refresh Web Page
- Click on Show IOC
- Click on Associated Indicators
- Click on TruSTAR Indicators_XXXX (**XXXX = security Incident number)