Module 3: Security Incident and Threat Intelligence Integrations

Question 1

Lab Takeaway: Explain the differences between the ServiceNow Store and ServiceNow Share

Question 2

What are the four integrations provided in the security operations base system

Answer 2

• Security Incident Response - Event Management Integration
• Security Incident Response - Import Set API Integration
• Threat Intelligence - lookup source integration
• Threat Intelligence - threat source integration

Question 3

What are the three driving needs for capability framework v2

Answer 3

1. Enhanced Configurability
   
   1. Configure Orchestration parameters outside of workflows (Max Concurrent requests, Rate limiting, batch size, etc)
   2. Define rune time conditions for triggering Orchestration (Category = malware, Threat lookup = VirusTotal)
2. Improved Maintainability
   
   1. Improve robustness of Orchestration calls (configurable time out, retry after, retry limits)
   2. Design integrations to receive inputs in a flexible way (CI, observables, etc)
   3. Employ better error handling routines with integrations (flow, subflow and script level)
3. Ease to Extend, Scale, and Report
   
   1. Create blueprint that are easy to extend and replicate; reusable actions go into iHub spokes
   2. Address Tech Debts: Integrations outside the capability framework, not domain separated, not efficiently designed
   3. Easy to report on “usage” and “value” of Orchestration through PA dashboards (customer facing)

Question 4

Expalin the following capability that has been moved from a workflow to a Flow:

Block Request

Answer 4

Provides a way to block observables associated with a security incident on a firewall, web proxy, or some other control point. This capability is used during incident response investigations to contain an identified threat.

Example integration: Palo Alto Network - Firewall

Question 5

Expalin the following capability that has been moved from a workflow to a Flow:

Email Search and Delete

Answer 5

Provides a wayto search an email server during a security investigation and if necessary, delete emails from the server

Question 6

Expalin the following capability that has been moved from a workflow to a Flow:

Enrich Configuration Item

Answer 6

Provides a general way to enrich configuration items with additional information from a variety of sources. This capabilty is used during incident response investigations to enrich data associated with a security incident

Question 7

Expalin the following capability that has been moved from a workflow to a Flow:

Enrich Observable

Answer 7

Provides a genearl way to enrich observables with additional information from a variety of sources. This capability is used during incident response investigations to contain an identified threat

Question 8

Expalin the following capability that has been moved from a workflow to a Flow:

Event Ingestion

Answer 8

Provides a general way to create a security incident by mapping events from an integration source to a security incident

Question 9

Expalin the following capability that has been moved from a workflow to a Flow:

Get Network Statistics

Answer 9

Retrieves a list of active network connections from an endpoint or host. This capability is used for incident enrichment during investigations

Question 10

Expalin the following capability that has been moved from a workflow to a Flow:

Get Running Processes

Answer 10

Retrieves a list of running processes from an endpoint or host. This capability is used for incident enrichment during investigations.

Example integrations include:

Carbon Black and Tanium

Question 11

Expalin the following capability that has been moved from a workflow to a Flow:

Isolate Host

Answer 11

Provides a way to isolate an endpoint or a host associated with a security incident to a watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations

Example: Carbon Black

Question 12

Expalin the following capability that has been moved from a workflow to a Flow:

Publish to Watchlist

Answer 12

Provides a way to add observables associated with a security incident to a watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations

Question 13

Expalin the following capability that has been moved from a workflow to a Flow:

Sightings Search

Answer 13

Searches various SIEMs or other log stories for instances of observables. This capability is used to determine the presence of malicious IoCs in your environment.

Exmaples include:

Splunk and QRadar

Question 14

Expalin the following capability that has been moved from a workflow to a Flow:

Threat Lookup

Answer 14

Performs threat intelligence lookups to determine whether a certain observable is associated with a known security threat. This capability is used as part of incident response during investigations

Question 15

What are the sighting search configuration options? (four)

Answer 15

• Sighting Search Configuration define queries that are specific to the integration that supports this search capability
• Each combination of Observable Type and integration will require its own Sighting Search Configuration
• Three Observable Types are supported for Sighting Search Configuration
  
  • IP Address
  • Hash
  • URL
• Default Sighting Search Configurations are installed with an integration that supports the capability

Question 16

The following are two related lists. What are their functions

Sighting Search Results

Sighting Search Details

Answer 16

Results summarizes the entire search

Details summarizes the results for each observable

Both records have more details on the form view that include which log stores reported findings, matched configuration items found in search results, and links to view the raw search in the log store that was searched

Question 17

How many integration cards are available at baseline?

Answer 17

More than 20

These integration cards are pre-built installations for the most common security operations tools. Some may require further installation and configuration on the third party system

Question 18

What are the four traits of a “ServiceNow Gold Standard Integration”?

Answer 18

• Enterprise Scale
  
  • Integrations are built with extensive design and architecture review of the 3rd party product facilitated by SME’s on the vendor side. This ensures that the integration when subjected to demanding usage patterns will perform well. For example Searching for phishing emails accross a large number of user mailboxes, enabling firewall blocks across all egress points in the network
• Customer Focused
  
  • Integrations are built with attention to detail for micro-moments as use cases are executed by incident response teams - Ex: Requesting automated approvals when requesting firewall blocks, ageing firewall blcok entries so that automated cleanup’s can be performed without requireing manual efforts, notifying analysts over email when the integration actions are long (deletion of emails in a large number of mailboxes)
• Robust
  
  • The integrations are not just developed to the API specs, but rather extensively reviewed with SME’s from the partner products for best practices & thoroughly tested
• Standardized
  
  • The first integration for any cybersecurity domain is developed with teh goal of creating a blueprint to follow for subsequent integrations by the BU, partners or customers at a fraction of the effort of the original

Question 19

What is Splunk?

What can it do once integrated with ServiceNow’s Security Operations Suite?

Answer 19

A tool for collecting and normalizing logs into a central location to detect any unusal activity, so it can report attacks taking place - or at the very least provide early warnings of suspicious activity

It can automatically react to notifications created from ___ events, alerts and logs using platform features to drive the response process by:

Assigning manual tasks for analysis, investigation, and remediation

Automatically address events using workflows or orchestration activities

Question 20

All existing and ture integrations of Security Incident Response are domain seperated. What is the purpose of doing this?

Answer 20

This enables managed security service providers to provide domain seperated implementations of integrations on a per use bases. This removes any limitations on using one common implemenation of an integration for all users

Question 21

What is a Security Event?

What is a Security Alert?

Answer 21

Event: A special record the system uses to log when certain conditions occur and to take some kind of action in response to the conditions

Alert: A particular event (or series of events) that may be of interest

Question 22

How does the Security Incident Event Management Stack (processing chain) work?

Answer 22

1. Events are raised by a third party tool, using the table REST API to inject records into the em_event table
2. An Event Rule processes table records, raising alerts in the em_alert table
3. An Alert Action Rule/Alert Management Rule will then process specific alerts to raise security incidents

Question 23

The REST API Explorer uses information from an instance to provide a list of: (3 things)

Answer 23

Endpoints

Methods

Variables

Either to query and retrieve platform data (such as table rows)

or to modify data (such as inserting new records or amending data in existing ones)

Question 24

Why change the Request and Response formats between JSON and XML?

Question 25

Explain the three different integration approachs

Answer 25

• Platform (pre-loaded cards)
• Store (requesting new integrations)
• Custom (REST API or utilizing Share code)