ServiceNow [Current Version]
- Easy Install - From ServiceNow Store
- Usage & App Commands
- Known Limitations
- TROUBLESHOOTING / FAQs
This documentation provides a description of the ServiceNow Plugin built for TruSTAR. This plugin allows users to utilize context of TruSTAR’s IOCs and incidents within ServiceNow workflow. TruSTAR arms security teams with the high signal intelligence from sources such as internal historical data, open and closed intelligence feeds and anonymized incident reports from TruSTAR’s vetted community of enterprise members. The update to the ServiceNow integration allows users more control on what to submit into their enclave into TruSTAR and overall a tighter integration between TruSTAR and ServiceNow users.
- Submit Incident and Security Incident Response (SIR) reports into your private TruSTAR Enclave.
- Enrich Incidents and SIR's reports with intelligence from TruSTAR. This can be performed as both a manual and automated action.
- Automatically update TruSTAR report when when a ServiceNow Incident or SIR is modified.
- Fine tune configuration of submission fields to fit your data governance policies.
The details below summarizes the prerequisites and requirements needed for the TruSTAR Splunk app to work. Please make sure below components are downloaded/available.
ServiceNow “Jakarta” release or higher
Incident Management (Required)
Security Incident Management (Optional)
Service Now plugin Security Incident Response (Optional) - more info here
Threat Intelligence Plugin (Optional)
Easy Install - From ServiceNow Store
The TruSTAR integration is available in the ServiceNow app store for download. Please follow steps from "How to Install" section below to setup the TruSTAR instance.
The following bundles is required for manual installation of TruSTAR plugin in ServiceNow. Plugin bundle can be downloaded here.
This update set XML file contains all the actions required to support TruSTAR actions from ServiceNow.
Setup & Configuration
This section describe process of installing TruSTAR Integration in ServiceNow Instance.
- Navigate to System Update Sets -> Retrieved Update Sets
- Go to Related Links and Click on “Import Update Set from XML”
- Select XML update set provided in deliverables and click Upload.
Figure 2 Installation: Upload XML file
- Once Upload is finished click TruSTAR upload set and open.
Figure 3 Installation: Click on Update Set
- Click on “Preview Update Set” button.
Figure 4 Installation: Click on Preview Update Set
- Click on “Commit Update Set” button.
Figure 5 Installation: Click on Commit Update Set
- After successful Installation please reload form (Refresh)
- Go to Navigation Menu and type TruSTAR. You will see TruSTAR Menu.
This section describes steps to configure TruSTAR Integration. We need to setup TruSTAR Endpoint, API Key, and Secret Key etc.
- Go to Navigation Menu and enter TruSTAR
- Click on Settings Menu option
- Enter TruSTAR configuration parameters
Use https://station.trustar.co This is TruSTAR station URL from where data get collected by executing API calls.
Authentication Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API in your TruSTAR Station account. How to find your API Key
Secret Key to connect to TruSTAR station. It will be used for making API calls. Available under Settings-> API on TruSTAR Station. How to find your API Secret
Enter Enclave ID's (alphanumeric id next to enclave name in TruSTAR- Station) to pull data from. If you want to pull data from multiple ID's, separate each ID with a comma. Retrieving your Enclave IDs
- User can select to auto submit Incidents(INC) and/or Security Incidents(SIR) upon creating or deselect to submit incidents manually
- Users can configure report body to select the fields from an INC or SIR ticket that should be submitted as part of the report body in TruSTAR
- Exclude Tags allows users to configure a field tag that will prevent a report from being submitted to TruSTAR even when automated submissions are checked
- Click on Update Configuration.
User Role Setup
This section describes how to setup the user access permissions that is needed to fully configure and use the TruSTAR integration.
- You will need two roles to access TruSTAR menus.
- TruSTARAdmin (Access TruSTAR menus)
- admin (Access Settings menu)
Below are steps to assign roles to the user.
- Log in as admin user to dev instance
- Navigate to User Administration -> Users
- Select user and navigate to "Roles" tab
- Select Edit next to Roles
- Assign role "TruSTARAdmin" and "admin" and Save
Usage & App Commands
Create Security Incident / Incident
This section describe process of creating security incident/Incident manually in service now. We describe the process of creating security incident.
- Navigate to “Security Incident/Incident” in Navigation menu.
- Click on “Show All Incidents”
- Click on “New”
- Fill all required details in Incident form and Submit
- Please enter Observables in short description or description field which can be lookup in TruSTAR. (** Observables needs to be (,) comma separated.)
Submit Report to TruSTAR
Once we create security incident TruSTAR integration will trigger a submit report to TruSTAR.
Below image shows submitted report security incident work note detail. It contains deep link to TruSTAR station. Once you click on this link it will redirect to TruSTAR station.
TruSTAR Correlated IOCs
Once TruSTAR report is successfully submitted. TruSTAR Integration will show Correlated indicators found in TruSTAR for submitted report.
Below image shows correlated indicator work note details shown in security incident. It shows correlated indicators with deep link to TruSTAR station.
Updating with new TruSTAR IOCs
The TruSTAR platform is constantly updated with new IOCs, which could provide enrichment for an existing ServiceNow security incident. This integration updates correlated indicators found in TruSTAR in Associated Indicators tab for created incident.
Below are steps to see Associated Indicators:
- Refresh Web Page
- Click on Show IOC
- Click on Associated Indicators
- Click on TruSTAR Indicators_XXXX (**XXXX = security Incident number)
- Incident Reports are being transferred into Station when they are closed even when the user/administrator has un-checked the box that specifies the customer’s desire to/not to have regular Incident Reports transfer to Station. The transfer takes place specifically when the Incident Report ticket is closed, and not until then. Developers are correcting this issue. Temporary work-around is to disable the business rules that allow Incident Reports to transfer in to Station.
- When configuring the plugin’s settings, the “Apply” button does not always save and apply settings. For the user/administrator to be sure that her/his settings modifications are saved & applied, she/he should use the “Save” button, not the “Apply” button. Developers are correcting this issue.
TROUBLESHOOTING / FAQs
Q: How long does it take to setup Integration ?
A: ServiceNow plugin setup can take anywhere from 15 - 20 mins to configure.
Q: Do you ingest work notes ?
A: No. Ingesting work notes can be noisy. If a user wants to submit IOC or details to TruSTAR it needs to be in the Description or short description fields.
Q: Do you ingest secure notes ?
A: No. If a user wants to submit IOC or details to TruSTAR it needs to be in the Description or short description fields.
Q: How do you delete/reinstall/update the TruSTAR plugin?
A: Updating the app involves deleting the app and reinstalling the updated plugin, steps listed below:
Update App: This describes the process of upgrading the TruSTAR plugin and application in ServiceNow. The old update set and application needs to be removed from ServiceNow and updated to the newer version.
Q: How do I remove the Update Set?
Follow these steps:
- Navigate to System Update Sets -> Retrieved Update Sets
- Select TruSTAR Update set
- Select Delete from the Actions on selected rows dropdown menu
Q: How do I remove the TruSTAR Application?
- Navigate to System Applications -> Applications
- Select TruSTAR → Delete
- Type/Select “delete” in confirmation dialog.