ServiceNow [old]

Updated 5 months ago by Elvis Hovor



This article provides a description of the ServiceNow Plugin built for TruSTAR. This plugin allows users to utilize context of TruSTAR’s IOCs and incidents within ServiceNow workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members.

Demo Video


This integration is an update set XML file. You can download it here. This XML file contains all required ServiceNow objects Metadata to run TruSTAR's integration in ServiceNow.

The following bundles are required for successful install of the TruSTAR app.


Bundle Name




This update set XML file contains all the actions required to support TruSTAR actions from ServiceNow.


The following Plugins need to be  Activated for TruSTAR integration to work

Service Now plugin Security Incident Response (more info here)

Service Now plugin Threat Core (included in most cases if Incident Response is active)  

Service Now plugin Security Incident Analytics

Service Now plugin Threat Intelligence (more info here)


  1. Navigate to System Update Sets->Retrieved Update Sets
  2. Go to Related Links and Click on “Import Update Set from XML”
  3. Select XML update set provided in deliverables and click Upload.
  4. Once Upload is finished click TruSTAR upload set and open.
    C:\Users\user4\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Step 1.png
  5. Click on “Preview Update Set” button.
  6. Click on “Commit Update Set” button.
  7. After successful Installation please reload form (Refresh)
  8. Go to Navigation Menu and type TruSTAR. We can see TruSTAR Menu.


This section describes steps to configure TruSTAR Integration. We need to setup TruSTAR Endpoint, API Key, and Secret Key etc.

  1. Go to Navigation Menu and enter TruSTAR
  2. Click on Settings Menu option
  3. Enter TruSTAR API Endpoint Base URL (i.e.
  4. Enter API Key - this is available here
  5. Enter API Secret - this is available here
  6. Enter Enclave Id. Enclave id is available here

    1. NOTE: If you have multiple enclaves you can enter them as comma separated values of enclave id’s.
  7. Click on Submit.

User Role Setup

  1. This section describes how to setup the user access permissions that is needed to fully configure and use the TruSTAR integration.
  2. You  need access to two roles in ServiceNow to access TruSTAR menus.
    1. x_117227_trustar.user (Access TruSTAR menus)
    2. admin (Access Settings menu)
  3. Log in as admin user to ServiceNow instance
  4. Navigate to User Administration->Users
  5. Select user -->"Roles" tab
  6. Select Edit next to Roles
  7. Assign role "x_117227_trustar.user" and "admin" and Save

Update App

This describes the process of upgrading the TruSTAR plugin and application in ServiceNow. The old update set and application needs to be removed from ServiceNow and updated to the newer version.

Remove Update Set

  1. Navigate to System Update Sets -> Retrieved Update Sets
  2. Select TruSTAR Update set
  3. Select Delete from the Actions on selected rows dropdown menu

Remove Application

  1. Navigate to System Applications -> Applications
  2. Select TruSTAR → Delete
  3. Type/Select “delete” in confirmation dialog.
  4. Follow steps for installing updated plugin Install TruSTAR Integration

Incident Enrichment Workflow

Submit Report

Once we create security incident the TruSTAR integration will trigger Submit Report event to TruSTAR. This report will be submitted to the enclave(s) you have identified in your configuration.

Below image shows submitted report security incident work note detail. It contains deep link to the TruSTAR station. Once you click on this link it take you to the case in TruSTAR.

Correlated Reports

Once a security incident is successfully submitted to TruSTAR the work notes section will show the count of correlated TruSTAR reports for IOCs in that case.

Below image shows correlated report work note details shown in security incident. It shows correlated report count found in TruSTAR.

Correlated IOCs

Once a security incident is successfully submitted to TruSTAR the work notes section will show correlated TruSTAR IOCs.

Below image shows correlated indicator work note details shown in security incident. It shows correlated indicators with deep link to TruSTAR station.

Updating with new TruSTAR IOCs

The TruSTAR platform is constantly updated with new IOCs, which could provide enrichment for an existing ServiceNow security incident. This integration updates correlated indicators found in TruSTAR in Associated Indicators tab for created incident.

Below are steps to see Associated Indicators:

  1. Refresh Web Page
  2. Click on Show IOC
  3. Click on Associated Indicators
  4. Click on TruSTAR Indicators_XXXX (**XXXX = security Incident number)


Please reach out to for any additional questions.

How Did We Do?