ServiceNow V2

Updated 1 week ago by Elvis Hovor

Introduction

This documentation provides a description of the ServiceNow Plugin built for TruSTAR. This plugin allows users to utilize context of TruSTAR’s IOCs and incidents within ServiceNow workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members. The update to the ServiceNow integration allows users more control on what to submit into their enclave into TruSTAR and overall a tighter integration between TruSTAR and ServiceNow users.

Demo Video

Installation

This integration is an update set XML file. You can download it here. This XML file contains all required ServiceNow objects Metadata to run TruSTAR's integration in ServiceNow.

The following bundles are required for successful install of the TruSTAR app. Bundle can be downloaded here

#

Bundle Name

Description

1

ServiceNow-TruSTAR Integration Phase – II v1.0.0.xml

This update set XML file contains all the actions required to support TruSTAR actions from ServiceNow.



System Pre-Requisites

This section describes the system requirements to run TruSTAR integration in ServiceNow.

System Prerequisites

ServiceNow “Jakarta” release or higher

Incident Management (Required)

Security Incident Management (Optional)

Service Now plugin Security Incident Response (Optional) - more info here

Threat Intelligence Plugin (Optional)

Installation

This section describe process of installing TruSTAR Integration in ServiceNow Instance. 

Below are steps to create users.

  1. Navigate to System Update Sets -> Retrieved Update Sets

    <img src="https://lh4.googleusercontent.com/gGguQEei2XCdQVdQQyTHfXxhatN8-y3o1Npb9pHD4kA9syURu6ulTAyMkRQaDQfxqwJbDxxo7hB2DRBJM2ImuQjfo_O7LCbq5Cu9W9-o-bZoJm5aaJVJQni5S9MDHsVpPiOqOzH1" width="496" height="197" data-image="pmcdm3our5x4" style="box-sizing: inherit; border-style: none; max-width: 100%; outline: 0px !important;" alt="Figure 1 TruSTAR Installation" title="Figure 1 TruSTAR Installation"> <em>Figure 1 TruSTAR Installation</em>
  2. Go to Related Links and Click on “Import Update Set from XML”
  3. Select XML update set provided in deliverables and click Upload. 


    Figure 2 Installation: Upload XML file
  4. Once Upload is finished click TruSTAR upload set and open.

    Figure 3 Installation: Click on Update Set
  5. Click on “Preview Update Set” button.

    C:\Users\user4\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Step 2.png
    Figure 4 Installation: Click on Preview Update Set

  6. Click on “Commit Update Set” button.C:\Users\user4\AppData\Local\Microsoft\Windows\INetCache\Content.Word\Step 3.png
    Figure 5 Installation: Click on Commit Update Set
  7. After successful Installation please reload form (Refresh)
  8. Go to Navigation Menu and type TruSTAR. We can see TruSTAR Menu.
Incase if we run into error while preview update set
Note - The reason we'll be accepting the remote update is to override some files that are newer than the ones in update set. This is due to downgrading an app from phase-2 implementation to phase-1 implementation. Other option will be to make changes in the local update set. But, this is highly risky and is not recommended

Configuration

This section describes steps to configure TruSTAR Integration. We need to setup TruSTAR Endpoint, API Key, and Secret Key etc.

  1. Go to Navigation Menu and enter TruSTAR
  2. Click on Settings Menu option
  3. Enter TruSTAR API Endpoint Base URL (i.e. https://api.trustar.co)
  4. Figure 6 Configure TruSTAR Integration
  5. Enter API Key - this is available here https://station.trustar.co/settings/api
  6. Enter API Secret - this is available here https://station.trustar.co/settings/api
  7. Enter Enclave Id. Enclave id is available here https://station.trustar.co/settings/api

    1. NOTE: If you have multiple enclaves you can enter them as comma separated values of enclave id’s.
  8. Select auto submission, configure report body and exclude Tags
  9. Click on Update Configuration. 

    User Role Setup

    This section describes how to setup the user access permissions that is needed to fully configure and use the TruSTAR integration.

    1. You will need two roles to access TruSTAR menus.
      1. TruSTARAdmin (Access TruSTAR menus)
      2. admin (Access Settings menu)

    Below are steps to assign roles to the user.

    1. Log in as admin user to dev instance
    2. Navigate to User Administration -> Users
    3. Select user and navigate to  "Roles" tab
    4. Select Edit next to Roles
    5. Assign role "TruSTARAdmin" and "admin" and Save

    Create Security Incident / Incident 

    This section describe process of creating security incident/Incident manually in service now. We describe the process of creating security incident.

    1. Navigate to “Security Incident/Incident” in Navigation menu.
    2. Click on “Show All Incidents”
    3. Click on “New”
    4. Fill all required details in Incident form and Submit
    5. Please enter Observables in short description or description field which can be lookup in TruSTAR. (** Observables needs to be (,) comma separated.)
    Figure 7 Create Security Incident
    Figure 8 Enter Incident Details
    We have also provided manual action to submit report to TruSTAR on Incident and Security Incident.

    Incident Enrichment Workflow

    TruSTAR Submit Report

    Once we create security incident TruSTAR integration will trigger a submit report to TruSTAR.

    Below image shows submitted report security incident work note detail. It contains deep link to TruSTAR station. Once you click on this link it will redirect to TruSTAR station.

    Figure 9 TruSTAR Submit Report Detail

    TruSTAR Correlated IOCs

    Once TruSTAR report is successfully submitted. TruSTAR Integration will show Correlated indicators found in TruSTAR for submitted report.

    Below image shows correlated indicator work note details shown in security incident. It shows correlated indicators with deep link to TruSTAR station.

    Note: Maximum of 100 correlated indicators would be added to Observables table. This is to reduce the API calls to TruSTAR.
    Figure 10 TruSTAR Correlated Indicators


    Updating with new TruSTAR IOCs

    The TruSTAR platform is constantly updated with new IOCs, which could provide enrichment for an existing ServiceNow security incident. This integration updates correlated indicators found in TruSTAR in Associated Indicators tab for created incident.

    Below are steps to see Associated Indicators:

    1. Refresh Web Page
    2. Click on Show IOC
    3. Click on Associated Indicators
    4. Click on TruSTAR Indicators_XXXX (**XXXX = security Incident number)

    Troubleshooting

    Please reach out to support@trustar.co for any additional questions.


    How Did We Do?