Module 3: Security Incident and Threat Intelligence Integrations Flashcards
Lab Takeaway: Explain the differences between the ServiceNow Store and ServiceNow Share
What are the four integrations provided in the security operations base system
- Security Incident Response - Event Management Integration
- Security Incident Response - Import Set API Integration
- Threat Intelligence - lookup source integration
- Threat Intelligence - threat source integration
What are the three driving needs for capability framework v2
- Enhanced Configurability
- Configure Orchestration parameters outside of workflows (Max Concurrent requests, Rate limiting, batch size, etc)
- Define rune time conditions for triggering Orchestration (Category = malware, Threat lookup = VirusTotal)
- Improved Maintainability
- Improve robustness of Orchestration calls (configurable time out, retry after, retry limits)
- Design integrations to receive inputs in a flexible way (CI, observables, etc)
- Employ better error handling routines with integrations (flow, subflow and script level)
- Ease to Extend, Scale, and Report
- Create blueprint that are easy to extend and replicate; reusable actions go into iHub spokes
- Address Tech Debts: Integrations outside the capability framework, not domain separated, not efficiently designed
- Easy to report on “usage” and “value” of Orchestration through PA dashboards (customer facing)
Expalin the following capability that has been moved from a workflow to a Flow:
Block Request
Provides a way to block observables associated with a security incident on a firewall, web proxy, or some other control point. This capability is used during incident response investigations to contain an identified threat.
Example integration: Palo Alto Network - Firewall
Expalin the following capability that has been moved from a workflow to a Flow:
Email Search and Delete
Provides a wayto search an email server during a security investigation and if necessary, delete emails from the server
Expalin the following capability that has been moved from a workflow to a Flow:
Enrich Configuration Item
Provides a general way to enrich configuration items with additional information from a variety of sources. This capabilty is used during incident response investigations to enrich data associated with a security incident
Expalin the following capability that has been moved from a workflow to a Flow:
Enrich Observable
Provides a genearl way to enrich observables with additional information from a variety of sources. This capability is used during incident response investigations to contain an identified threat
Expalin the following capability that has been moved from a workflow to a Flow:
Event Ingestion
Provides a general way to create a security incident by mapping events from an integration source to a security incident
Expalin the following capability that has been moved from a workflow to a Flow:
Get Network Statistics
Retrieves a list of active network connections from an endpoint or host. This capability is used for incident enrichment during investigations
Expalin the following capability that has been moved from a workflow to a Flow:
Get Running Processes
Retrieves a list of running processes from an endpoint or host. This capability is used for incident enrichment during investigations.
Example integrations include:
Carbon Black and Tanium
Expalin the following capability that has been moved from a workflow to a Flow:
Isolate Host
Provides a way to isolate an endpoint or a host associated with a security incident to a watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations
Example: Carbon Black
Expalin the following capability that has been moved from a workflow to a Flow:
Publish to Watchlist
Provides a way to add observables associated with a security incident to a watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations
Expalin the following capability that has been moved from a workflow to a Flow:
Sightings Search
Searches various SIEMs or other log stories for instances of observables. This capability is used to determine the presence of malicious IoCs in your environment.
Exmaples include:
Splunk and QRadar
Expalin the following capability that has been moved from a workflow to a Flow:
Threat Lookup
Performs threat intelligence lookups to determine whether a certain observable is associated with a known security threat. This capability is used as part of incident response during investigations
What are the sighting search configuration options? (four)
- Sighting Search Configuration define queries that are specific to the integration that supports this search capability
- Each combination of Observable Type and integration will require its own Sighting Search Configuration
- Three Observable Types are supported for Sighting Search Configuration
- IP Address
- Hash
- URL
- Default Sighting Search Configurations are installed with an integration that supports the capability
The following are two related lists. What are their functions
Sighting Search Results
Sighting Search Details
Results summarizes the entire search
Details summarizes the results for each observable
Both records have more details on the form view that include which log stores reported findings, matched configuration items found in search results, and links to view the raw search in the log store that was searched
How many integration cards are available at baseline?
More than 20
These integration cards are pre-built installations for the most common security operations tools. Some may require further installation and configuration on the third party system
What are the four traits of a “ServiceNow Gold Standard Integration”?
- Enterprise Scale
- Integrations are built with extensive design and architecture review of the 3rd party product facilitated by SME’s on the vendor side. This ensures that the integration when subjected to demanding usage patterns will perform well. For example Searching for phishing emails accross a large number of user mailboxes, enabling firewall blocks across all egress points in the network
- Customer Focused
- Integrations are built with attention to detail for micro-moments as use cases are executed by incident response teams - Ex: Requesting automated approvals when requesting firewall blocks, ageing firewall blcok entries so that automated cleanup’s can be performed without requireing manual efforts, notifying analysts over email when the integration actions are long (deletion of emails in a large number of mailboxes)
- Robust
- The integrations are not just developed to the API specs, but rather extensively reviewed with SME’s from the partner products for best practices & thoroughly tested
- Standardized
- The first integration for any cybersecurity domain is developed with teh goal of creating a blueprint to follow for subsequent integrations by the BU, partners or customers at a fraction of the effort of the original
What is Splunk?
What can it do once integrated with ServiceNow’s Security Operations Suite?
A tool for collecting and normalizing logs into a central location to detect any unusal activity, so it can report attacks taking place - or at the very least provide early warnings of suspicious activity
It can automatically react to notifications created from ___ events, alerts and logs using platform features to drive the response process by:
Assigning manual tasks for analysis, investigation, and remediation
Automatically address events using workflows or orchestration activities
All existing and ture integrations of Security Incident Response are domain seperated. What is the purpose of doing this?
This enables managed security service providers to provide domain seperated implementations of integrations on a per use bases. This removes any limitations on using one common implemenation of an integration for all users
What is a Security Event?
What is a Security Alert?
Event: A special record the system uses to log when certain conditions occur and to take some kind of action in response to the conditions
Alert: A particular event (or series of events) that may be of interest
How does the Security Incident Event Management Stack (processing chain) work?
- Events are raised by a third party tool, using the table REST API to inject records into the em_event table
- An Event Rule processes table records, raising alerts in the em_alert table
- An Alert Action Rule/Alert Management Rule will then process specific alerts to raise security incidents
The REST API Explorer uses information from an instance to provide a list of: (3 things)
Endpoints
Methods
Variables
Either to query and retrieve platform data (such as table rows)
or to modify data (such as inserting new records or amending data in existing ones)
Why change the Request and Response formats between JSON and XML?
