Security Incident and Threat Intelligence Integrations Flashcards

1
Q

What are the integrations provided in Security Operations base system?

A

Security Incident Response - Event Management Integration

Security Incident Response - Import Set API Integration

Threat Intelligence - Lookup Source Integration

Threat Intelligence - Threat Source Integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the driving needs for Capability Framework V2?

A

Enhanced Configurability

improved Maintainability

Ease to Extend, Scale and Report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Capability Integration Framework core Components are?

A
Block Request
Email Search and Delete
Enrich Configuration Item
Enrich Observable
Event Ingestion
Get network Statistics
Get Running Processes 
Isolated host 
Publish To Watchlist
Sighting Search
Threat Lookup

see pages 151 and 153 in book for more details Rome pg 147 San Diego

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Sighting Search configurations include?

A

Sighting search configuration defines queries that are specific to the integration that support this search capability

Each combination of Observable Type and Integration will require its own Sighting Search Configuration

Three Observable Types are supported for Sight Search Configuration - IP Address, Hash, and URL.

Default Sighting Search Configurations are installed with an integration that supports the capability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Sighting Search shows 2 related lists. what are they?

A

Sighting Search Results - summarizes the entire search

Sightings Search Details summarizes the results for each Observable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Integration Cards are the most common Security Operation tools provided within the Platform. Baseline how many available cards are there?

A

There are over 20 integration cards available and more integrations available from the ServiceNow Store.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is ServiceNow Gold Standard Integration Traits? “Turn-Key”

A

Enterprise Scale - Work Closely with vendors to get the right architecture for enterprise scale.

Customer Focused - Work Closely with customer to get the right use cases and Early access validation

Robust - Developed right with the 3rd party product API’s

Standardized - Standardized the design for similar integrations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Splunk is a commonly-used Application. The customer’s Splunk dashboard is who’s responsibility?

A

The customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Splunk is a commonly-used Application. The customer’s Splunk dashboard is who’s responsibility?

A

The customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Splunk integration configuration is performed within Splunk’s platform. Who is responsible for activating it?

A

Splunk SME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The setup procedures for Splunk onto the ServiceNow platform are?

A
  1. Downloading the add-on file in Splunk
  2. Installing the Add-on
  3. Setting the ServiceNow instance where security incidents and events are created
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Carbon Black, opposite of Splunk integration, is completely done within the ServiceNow platform and only requires what from the customer?

A

API Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What Does DLP stand for?

A

Data Loss Prevention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data Loss Prevention Incident Response Benefits

A
  1. Integrate with multiple 3rd party DLP solutions to gain a unified view of the incidents in the Now Platform.
  2. Monitor and assign incidents to the end users to that you can streamline DLP incident management.
  3. Coach your employees through the customized email templates and notifications that are sent for each incident as well as in the form of a digest
  4. Escalate the over due DLP incidents from the end users to the managers.
  5. View summary reports of open incidents by policy, severity, top-offenders, and so on
  6. Track DLP incidents trends, false positive trends, and remediation trends.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is MISP?

A

Malware Information Sharing Platform - lets you exchange and share threat intelligence and Indicators of Compromise IoCs about the targeted malware and attacks within your community of trusted members. You can also share your MISP information with private or open communities. By exchanging MISP information, you can investigate targeted attacks faster, improve the section ratio, and reduce the number of false positives in your environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

key features to Malware Information Sharing Platform (MISP)

A
  • Connect to private and public MISP Instance
  • Support manual and automatic sighting search of Observables
  • Run sighting search from case management
  • Report or update sightings to an attribute:
    - Report an observable as a sighting (global), a false positive (global), as expired
  • Support manual and automatic observable enrichment. Results include the MISP attribute and event infromation that is associated with the observable.
  • Attribute enrichment in MISP which includes adding or updating tags, galaxies, or comments
  • Event creation in MISP from SIR; Supports manual and automatic creation of events in MISP from SIR
  • Update a MISP event from SIR which includes adding or updating tags, galaxies, or attributes
  • add security incident associated observables as attributes to a MISP event
  • Auto-extract MITRE ATT&CK information from MISP attributes and associate the information to SIR security Incidents
  • Automatically add SIR MITRE ATT&CK information as galaxies to a MISP event.
17
Q

Malware Information Sharing Platform MISP key concepts

A
  1. MISP is a Threat Intelligence Platform
  2. MISP is a threat Intelligence Management TIM
  3. MISP data Layer
  4. MISP context Layer
  5. Indicators contain a pattern used for section
  6. Attributes in MISP can be network or system indicators, or even bank account details.
18
Q

MISP Data Layers are?

A

Events are encapsulations for contextually linked information

Attributes are individual data points, which can be indicators or supporting data

Objects are custom template attribute compositions

Object references are the relationships between the other building blocks

Sightings are time-specific occurrences of a detected data-point

19
Q

MISP is a Threat Intelligence Platform (TIP) what can you TIP for?

A

To collect, Correlate, categorize, share, and integrate security threat data in real time to support the prioritization of actions and aid in attack prevention, detection, and response.

20
Q

What are the MISP context layers?

A

Tags are labels that are attached to events or attributes and may come from taxonomies

Galaxy-clusters are knowledge base items that you can use to label events or attributes that come from galaxies

Cluster relationships denote pre-defined relationships between customers.

21
Q

After upgrades and deployments of new applications or integrations what is a good practice?

A

Run a quick start test for SIR

22
Q

What do customers need to use ServiceNow Store?

A

Hi account.
Key notes
Customers should not decide to install free integration on their instance then enquire how to obtain and use the vendor product it integrates to

Many of these Third party products require initial complex setup and ongoing support from skilled internal resources; Their decision to obtain and use a new and unfamiliar product should not be based upon the fact an integration exists for it

23
Q

Alternative location for applications other than the SN store is what?

A

ServiceNow Share at developer.servicenow.com/app.do!/share

Please note
These applications are untested, uncertified, and unsupported by SN. SN is not responsible for any damage or adverse impact caused.

24
Q

What is REST API Explorer used for

A

The REST API Explorer uses information from an instance to provide a list of endpoints, methods, and variables.

side note
In order to build and send a REST request either to query and retrieve platform date or to modify data, such as inserting new records or amending data in existing ones.