User Guide: TruSTAR for ServiceNow V2

Updated 6 months ago by TruSTAR

This document explains how to use the features of the TruSTAR Workflow App for ServiceNow V2 (Paris version). The App automates the extraction of Observables from events and queries them against Intelligence Sources in TruSTAR. The enriched data - including links directly to TruSTAR’s in-depth analysis - is added to in the ServiceNow ticket.

You can use the TruSTAR Web App to:

  • Enrich: Quickly provide context to aid in triage and investigation of Security Incidents.
  • Manage: Conduct advanced searches for reports and indicators across all internal repositories and external sources in a single query.
  • Analyze: Add analyst notes and comments to support ongoing investigation, analysis, and collaboration.
  • Detect: Deploy internal and external intelligence to detection tools.
  • Disseminate: Share Reports and threat intelligence with internal users and teams and with ISAC/ISAO groups.

Features

The TruSTAR App for Service Now V2 enables you to perform two sets of manual actions: basic actions and security operations actions.

Basic Operations

You can use the TruSTAR App for Service Now V2 to manually perform these actions:

  • Submit a Security Incident Report (SIR) to TruSTAR
  • Enrich Observables in Security Incidents
To perform these actions, you must have these ServiceNow plug-ins installed:
(1) Security Incident Response version 11.1.1 or higher
(2) Threat Core version 11.0.3 or higher

Security Operations

You can use the TruSTAR App to perform these actions:

  • Whitelist Observables
  • Add tags to Observables
  • Share a SIR in TruSTAR
  • Share Observables
  • Share Enriched Observables
To perform these Security Operations, you must have this ServiceNow plug-in installed:
(1) Threat Intelligence version 11.0.2 or higher

TruSTAR Tabs and Tables

The TruSTAR App uses two tables in the Related Links section of a SIR to show TruSTAR-specific information:

  • The Observables table shows the data extracted from the SIR that TruSTAR can enrich. TruSTAR can extract over 14 different types of data.
  • The Threat Lookup table shows Indicators returned from TruSTAR after the data has been enriched by intelligence sources.

Within a table, you can select one or more items using checkboxes and then right-click to display a menu of commands you can execute on those items. The rest of this article explains each command in more detail.

Submitting a SIR to TruSTAR

  1. Select Security Incidents on the left menu.
  2. Select Incidents, then select Show All Incidents
  3. Click New.
  4. Fill in the Short Description and Description on the Security Incident form.
  1. Click Send Report to TruSTAR in the top menu bar to submit the report to TruSTAR. 

In the Work Notes section on the Incident tab, you see a new entry with the text ***TruSTAR Report Submitted*** along with a link to open the new report in the TruSTAR Web App.

After the report has been submitted, if you have Observable Auto-Enrichment enabled, TruSTAR will add observables found in TruSTAR to the Threat Lookup table in the SIR, with links to more information in the TruSTAR Web App. 

Enriching Observables

You can manually enrich one or more Observables in an SIR.

  1. On the Incident Details tab, select Show IOC under the Related Links subheading. This displays the list of Observables for the SIR.
  2. Click the checkbox next to the Observables(s) you want to enrich.
  3. At the bottom of the Observables list, select the TruSTAR: Enrich Observables command from the drop-down menu.

The selected Observables are sent to TruSTAR and any enrichment returned is added to the Threat Lookup table. You can then click on the link in the Finding column for that item to display the full details of the enrichment.

Whitelisting Observables

You can manually add one or more Observables to your organization's whitelist in TruSTAR.

  1. On the Incident Details tab, select Show IOC under the Related Links subheading. This displays the list of Observables for the SIR.
  2. Click the checkbox next to the Indicator(s) you want to whitelist.
  3. At the bottom of the Observables list, select the TruSTAR: Whitelist Indicators command from the drop-down menu.

The selected items are added to your whitelist in TruSTAR.

Adding Tags to Observables

You can manually add one or more tags to Observables listed in the Threat Lookups table.

  1. On the Incident Details tab, select Show IOC under the Related Links subheading. This displays the list of Observables for the SIR.
  2. Click the Threat Lookups Results tab.
  3. Click the checkbox next to the item(s) you want to tag.
  4. At the bottom of the list, select TruSTAR: Tag Indicators from the drop-down menu. This displays the Tag Indicators dialog box.
  5. Enter the tags you want to add, separating each tag with a comma.
  6. Click Submit to finish adding tags.

The tag information is sent to TruSTAR where the tags are added to the items you selected in step 3.

Sharing Reports to TruSTAR

You can choose to send a SIR to one or more TruSTAR Enclaves. This is useful when you share Enclaves with a working group, whether inside your organization or with external groups, such as an ISAO/ISAC group.

  1. While viewing the SIR in ServiceNow, click Share Report in TruSTAR in the top menu bar.

The selected report is sent to the Enclaves you specified in the Specify Sharing Enclave IDs configuration settings.

Sharing Observables to TruSTAR

You can share one or more Observables to TruSTAR Enclaves.

The Observables are shared, but any enrichment and tags are not shared. To share that information, use the Sharing Enriched Observables procedure.
  1. On the Incident Details tab, select Show IOC under the Related Links subheading. This displays the list of Observables for the SIR.
  2. Click the checkbox next to the Indicator(s) you want to enrich.
  3. At the bottom of the Observables list, select the TruSTAR: Share Observables command from the drop-down menu.

The selected Observables are sent to the Enclaves you specified in the Specify Sharing Enclave IDs configuration settings.

Sharing Enriched Observables to TruSTAR

You can choose to share Observables with enrichment to Enclaves in TruSTAR. This will send the Observables, all enrichment, and any tags to TruSTAR.

  1. On the Incident Details tab, select Show IOC under the Related Links subheading. This displays the list of Observables for the SIR.
  2. Click the Threat Lookups Results tab.
  3. Click the checkbox next to the Observable(s) you want to share.
  4. At the bottom of the list, select TruSTAR: Share Enriched IoCs from the drop-down menu.

The selected Observables are sent to the Enclaves you specified in the Specify Sharing Enclave IDs configuration settings.


How Did We Do?