Security Incident and Threat Intelligence Integrations Flashcards
What are the integrations provided in Security Operations base system?
Security Incident Response - Event Management Integration
Security Incident Response - Import Set API Integration
Threat Intelligence - Lookup Source Integration
Threat Intelligence - Threat Source Integration
What are the driving needs for Capability Framework V2?
Enhanced Configurability
improved Maintainability
Ease to Extend, Scale and Report
Capability Integration Framework core Components are?
Block Request Email Search and Delete Enrich Configuration Item Enrich Observable Event Ingestion Get network Statistics Get Running Processes Isolated host Publish To Watchlist Sighting Search Threat Lookup
see pages 151 and 153 in book for more details Rome pg 147 San Diego
Sighting Search configurations include?
Sighting search configuration defines queries that are specific to the integration that support this search capability
Each combination of Observable Type and Integration will require its own Sighting Search Configuration
Three Observable Types are supported for Sight Search Configuration - IP Address, Hash, and URL.
Default Sighting Search Configurations are installed with an integration that supports the capability
Sighting Search shows 2 related lists. what are they?
Sighting Search Results - summarizes the entire search
Sightings Search Details summarizes the results for each Observable
Integration Cards are the most common Security Operation tools provided within the Platform. Baseline how many available cards are there?
There are over 20 integration cards available and more integrations available from the ServiceNow Store.
What is ServiceNow Gold Standard Integration Traits? “Turn-Key”
Enterprise Scale - Work Closely with vendors to get the right architecture for enterprise scale.
Customer Focused - Work Closely with customer to get the right use cases and Early access validation
Robust - Developed right with the 3rd party product API’s
Standardized - Standardized the design for similar integrations
Splunk is a commonly-used Application. The customer’s Splunk dashboard is who’s responsibility?
The customer
Splunk is a commonly-used Application. The customer’s Splunk dashboard is who’s responsibility?
The customer
Splunk integration configuration is performed within Splunk’s platform. Who is responsible for activating it?
Splunk SME
The setup procedures for Splunk onto the ServiceNow platform are?
- Downloading the add-on file in Splunk
- Installing the Add-on
- Setting the ServiceNow instance where security incidents and events are created
Carbon Black, opposite of Splunk integration, is completely done within the ServiceNow platform and only requires what from the customer?
API Key
What Does DLP stand for?
Data Loss Prevention
Data Loss Prevention Incident Response Benefits
- Integrate with multiple 3rd party DLP solutions to gain a unified view of the incidents in the Now Platform.
- Monitor and assign incidents to the end users to that you can streamline DLP incident management.
- Coach your employees through the customized email templates and notifications that are sent for each incident as well as in the form of a digest
- Escalate the over due DLP incidents from the end users to the managers.
- View summary reports of open incidents by policy, severity, top-offenders, and so on
- Track DLP incidents trends, false positive trends, and remediation trends.
What is MISP?
Malware Information Sharing Platform - lets you exchange and share threat intelligence and Indicators of Compromise IoCs about the targeted malware and attacks within your community of trusted members. You can also share your MISP information with private or open communities. By exchanging MISP information, you can investigate targeted attacks faster, improve the section ratio, and reduce the number of false positives in your environment.