This documentation provides a description of the ServiceNow Plugin built for TruSTAR. This plugin allows users to utilize context of TruSTAR’s IOCs and incidents within ServiceNow workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members. The update to the ServiceNow integration allows users more control on what to submit into their enclave into TruSTAR and overall a tighter integration between TruSTAR and ServiceNow users.
This integration is an update set XML file. You can download it here. This XML file contains all required ServiceNow objects Metadata to run TruSTAR's integration in ServiceNow.
The following bundles are required for successful install of the TruSTAR app.
ServiceNow-TruSTAR Integration Phase – II v1.0.0.xml
This update set XML file contains all the actions required to support TruSTAR actions from ServiceNow.
This section describes the system requirements to run TruSTAR integration in ServiceNow.
Service Now instance
Service Now plugin Threat Core (Security Incident)
Service Now plugin Threat Intelligence (Security Incident)
Service Now plugin Security Incident Response (Security Incident) - more info here
Service Now plugin Security Incident Analysis (Security Incident)
Service Now plugin Integration Common components (Security Incident)
This section describe process of installing TruSTAR Integration in ServiceNow Instance.
Below are steps to create users.
- Navigate to System Update Sets -> Retrieved Update Sets
Figure 1 TruSTAR Installation
- Go to Related Links and Click on “Import Update Set from XML”
- Select XML update set provided in deliverables and click Upload.
Figure 2 Installation: Upload XML file
- Once Upload is finished click TruSTAR upload set and open.
Figure 3 Installation: Click on Update Set
- Click on “Preview Update Set” button.
Figure 4 Installation: Click on Preview Update Set
- Click on “Commit Update Set” button.
Figure 5 Installation: Click on Commit Update Set
- After successful Installation please reload form (Refresh)
- Go to Navigation Menu and type TruSTAR. We can see TruSTAR Menu.
This section describes steps to configure TruSTAR Integration. We need to setup TruSTAR Endpoint, API Key, and Secret Key etc.
- Go to Navigation Menu and enter TruSTAR
- Click on Settings Menu option
- Enter TruSTAR API Endpoint Base URL (i.e. https://api.trustar.co)
Figure 6 Configure TruSTAR Integration
- Enter API Key - this is available here https://station.trustar.co/settings/api
- Enter API Secret - this is available here https://station.trustar.co/settings/api
- Enter Enclave Id. Enclave id is available here https://station.trustar.co/settings/api
- Select auto submission, configure report body and exclude Tags
- Click on Update Configuration.
User Role Setup
This section describes how to setup the user access permissions that is needed to fully configure and use the TruSTAR integration.
- You will need two roles to access TruSTAR menus.
- TruSTARAdmin (Access TruSTAR menus)
- admin (Access Settings menu)
Below are steps to assign roles to the user.
- Log in as admin user to dev instance
- Navigate to User Administration -> Users
- Select user and navigate to "Roles" tab
- Select Edit next to Roles
- Assign role "TruSTARAdmin" and "admin" and Save
Create Security Incident / Incident
This section describe process of creating security incident/Incident manually in service now. We describe the process of creating security incident.
- Navigate to “Security Incident/Incident” in Navigation menu.
- Click on “Show All Incidents”
- Click on “New”
- Fill all required details in Incident form and Submit
- Please enter Observables in short description or description field which can be lookup in TruSTAR. (** Observables needs to be (,) comma separated.)
Incident Enrichment Workflow
TruSTAR Submit Report
Once we create security incident TruSTAR integration will trigger a submit report to TruSTAR.
Below image shows submitted report security incident work note detail. It contains deep link to TruSTAR station. Once you click on this link it will redirect to TruSTAR station.
TruSTAR Correlated IOCs
Once TruSTAR report is successfully submitted. TruSTAR Integration will show Correlated indicators found in TruSTAR for submitted report.
Below image shows correlated indicator work note details shown in security incident. It shows correlated indicators with deep link to TruSTAR station.
Updating with new TruSTAR IOCs
The TruSTAR platform is constantly updated with new IOCs, which could provide enrichment for an existing ServiceNow security incident. This integration updates correlated indicators found in TruSTAR in Associated Indicators tab for created incident.
Below are steps to see Associated Indicators:
- Refresh Web Page
- Click on Show IOC
- Click on Associated Indicators
- Click on TruSTAR Indicators_XXXX (**XXXX = security Incident number)
Please reach out to email@example.com for any additional questions.