ServiceNow [Current Version]

Updated 2 weeks ago by Elvis Hovor

Introduction

This documentation provides a description of the ServiceNow Plugin built for TruSTAR. This plugin allows users to utilize context of TruSTAR’s IOCs and incidents within ServiceNow workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members. The update to the ServiceNow integration allows users more control on what to submit into their enclave into TruSTAR and overall a tighter integration between TruSTAR and ServiceNow users.

Features

  • Submit Incident and Security Incident Response (SIR) reports into your private TruSTAR Enclave.
  • Enrich Incidents and SIR's reports with intelligence from TruSTAR. This can be performed as both a manual and automated action.
  • Automatically update TruSTAR report when when a ServiceNow Incident or SIR is modified.
  • Fine tune configuration of submission fields to fit your data governance policies.

Workflow Diagram

Demo Video

Requirements

The details below summarizes the prerequisites and requirements needed for the TruSTAR Splunk app to work. Please make sure below components are downloaded/available.

ServiceNow “Jakarta” release or higher

Incident Management (Required)

Security Incident Management (Optional)

Service Now plugin Security Incident Response (Optional) - more info here

Threat Intelligence Plugin (Optional)

Easy Install - From ServiceNow Store

The TruSTAR integration is available in the ServiceNow app store for download. Please follow steps from "How to Install" section below to setup the TruSTAR instance.

TruSTAR plugin for ServiceNow is currently certified for Jarkarta version. To install directly from the ServiceNow store you must be on Jarkata version. For all other versions like Kingston please follow Manual Installation process below. There is no difference in functionality between these two install modes.

Manual Installation

The following bundles is required for manual installation of TruSTAR plugin in ServiceNow. Plugin bundle can be downloaded here.

#

Bundle Name

Description

1

ServiceNow-TruSTAR Integration

This update set XML file contains all the actions required to support TruSTAR actions from ServiceNow.

Setup & Configuration

This section describe process of installing TruSTAR Integration in ServiceNow Instance. 

  1. Navigate to System Update Sets -> Retrieved Update Sets
  2. Go to Related Links and Click on “Import Update Set from XML”
  3. Select XML update set provided in deliverables and click Upload. 


    Figure 2 Installation: Upload XML file
  4. Once Upload is finished click TruSTAR upload set and open.
    Figure 3 Installation: Click on Update Set
  5. Click on “Preview Update Set” button.
    Figure 4 Installation: Click on Preview Update Set
  6. Click on “Commit Update Set” button.
    Figure 5 Installation: Click on Commit Update Set
  7. After successful Installation please reload form (Refresh)
  8. Go to Navigation Menu and type TruSTAR. You will see TruSTAR Menu.
Remote update is accepted to override some files that are newer than the ones in update set. This is due to downgrading an app from phase-2 implementation to phase-1 implementation. Other option will be to make changes in the local update set. But, this is highly risky and is not recommended.

Configuration Details

This section describes steps to configure TruSTAR Integration. We need to setup TruSTAR Endpoint, API Key, and Secret Key etc.

  1. Go to Navigation Menu and enter TruSTAR
  2. Click on Settings Menu option
  3. Enter TruSTAR configuration parameters
Figure 6 Configure TruSTAR Integration

Configuration Parameter

Required

Description

Endpoint

Yes

Use https://station.trustar.co This is TruSTAR station URL from where data get collected by executing API calls.

API Key

Yes

Authentication Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API in your TruSTAR Station account. How to find your API Key

API Secret

Yes

Secret Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API on TruSTAR Station. How to find your API Secret

EnclaveIDs

Yes

Enter Enclave ID's (alphanumeric id next to enclave name in TruSTAR- Station) to pull data from. If you want to pull data from multiple ID's, separate each ID with a comma. Retrieving your Enclave IDs

  1. User can select to auto submit Incidents(INC) and/or Security Incidents(SIR) upon creating or deselect to submit incidents manually
  2. Users can configure report body to select the fields from an INC or SIR ticket that should be submitted as part of the report body in TruSTAR
  3. Exclude Tags allows users to configure a field tag that will prevent a report from being submitted to TruSTAR even when automated submissions are checked
  4. Click on Update Configuration. 
User Role Setup

This section describes how to setup the user access permissions that is needed to fully configure and use the TruSTAR integration.

  1. You will need two roles to access TruSTAR menus.
    1. TruSTARAdmin (Access TruSTAR menus)
    2. admin (Access Settings menu)

Below are steps to assign roles to the user.

  1. Log in as admin user to dev instance
  2. Navigate to User Administration -> Users
  3. Select user and navigate to  "Roles" tab
  4. Select Edit next to Roles
  5. Assign role "TruSTARAdmin" and "admin" and Save

Usage & App Commands

Create Security Incident / Incident 

This section describe process of creating security incident/Incident manually in service now. We describe the process of creating security incident.

  1. Navigate to “Security Incident/Incident” in Navigation menu.
  2. Click on “Show All Incidents”
  3. Click on “New”
  4. Fill all required details in Incident form and Submit
  5. Please enter Observables in short description or description field which can be lookup in TruSTAR. (** Observables needs to be (,) comma separated.)
We have also provided manual action to submit report to TruSTAR on Incident and Security Incident.
Submit Report to TruSTAR

Once we create security incident TruSTAR integration will trigger a submit report to TruSTAR.

Below image shows submitted report security incident work note detail. It contains deep link to TruSTAR station. Once you click on this link it will redirect to TruSTAR station.

TruSTAR Correlated IOCs

Once TruSTAR report is successfully submitted. TruSTAR Integration will show Correlated indicators found in TruSTAR for submitted report.

Below image shows correlated indicator work note details shown in security incident. It shows correlated indicators with deep link to TruSTAR station.

Note: Maximum of 100 correlated indicators would be added to Observables table. This is to reduce the API calls to TruSTAR.
Updating with new TruSTAR IOCs

The TruSTAR platform is constantly updated with new IOCs, which could provide enrichment for an existing ServiceNow security incident. This integration updates correlated indicators found in TruSTAR in Associated Indicators tab for created incident.

Below are steps to see Associated Indicators:

  1. Refresh Web Page
  2. Click on Show IOC
  3. Click on Associated Indicators
  4. Click on TruSTAR Indicators_XXXX (**XXXX = security Incident number)

Known Limitations

  1. Incident Reports are being transferred into Station when they are closed even when the user/administrator has un-checked the box that specifies the customer’s desire to/not to have regular Incident Reports transfer to Station.  The transfer takes place specifically when the Incident Report ticket is closed, and not until then.  Developers are correcting this issue. Temporary work-around is to disable the business rules that allow Incident Reports to transfer in to Station.
  2. When configuring the plugin’s settings, the “Apply” button does not always save and apply settings.  For the user/administrator to be sure that her/his settings modifications are saved & applied, she/he should use the “Save” button, not the “Apply” button. Developers are correcting this issue.

TROUBLESHOOTING / FAQs

Q: How long does it take to setup Integration ?

A: ServiceNow plugin setup can take anywhere from 15 - 20 mins to configure.

Q: Do you ingest work notes ?

A: No. Ingesting work notes can be noisy. If a user wants to submit IOC or details to TruSTAR it needs to be in the Description or short description fields.

Q: Do you ingest secure notes ?

A: No. If a user wants to submit IOC or details to TruSTAR it needs to be in the Description or short description fields.

Q: How do you delete/reinstall/update the TruSTAR plugin?

A: Updating the app involves deleting the app and reinstalling the updated plugin, steps listed below:

Update App: This describes the process of upgrading the TruSTAR plugin and application in ServiceNow. The old update set and application needs to be removed from ServiceNow and updated to the newer version.

Q: How do I remove the Update Set?

Follow these steps:

  1. Navigate to System Update Sets -> Retrieved Update Sets
  2. Select TruSTAR Update set
  3. Select Delete from the Actions on selected rows dropdown menu

Q: How do I remove the TruSTAR Application?

  1. Navigate to System Applications -> Applications
  2. Select TruSTAR → Delete
  3. Type/Select “delete” in confirmation dialog.
Please reach out to support@trustar.co for any additional questions.


How Did We Do?