Security Incident and Threat Intelligence Integrations

Question 1

What are the integrations provided in Security Operations base system?

Answer 1

Security Incident Response - Event Management Integration

Security Incident Response - Import Set API Integration

Threat Intelligence - Lookup Source Integration

Threat Intelligence - Threat Source Integration

Question 2

What are the driving needs for Capability Framework V2?

Answer 2

Enhanced Configurability

improved Maintainability

Ease to Extend, Scale and Report

Question 3

Capability Integration Framework core Components are?

Answer 3

Block Request
Email Search and Delete
Enrich Configuration Item
Enrich Observable
Event Ingestion
Get network Statistics
Get Running Processes 
Isolated host 
Publish To Watchlist
Sighting Search
Threat Lookup

see pages 151 and 153 in book for more details Rome pg 147 San Diego

Question 4

Sighting Search configurations include?

Answer 4

Sighting search configuration defines queries that are specific to the integration that support this search capability

Each combination of Observable Type and Integration will require its own Sighting Search Configuration

Three Observable Types are supported for Sight Search Configuration - IP Address, Hash, and URL.

Default Sighting Search Configurations are installed with an integration that supports the capability

Question 5

Sighting Search shows 2 related lists. what are they?

Answer 5

Sighting Search Results - summarizes the entire search

Sightings Search Details summarizes the results for each Observable

Question 6

Integration Cards are the most common Security Operation tools provided within the Platform. Baseline how many available cards are there?

Answer 6

There are over 20 integration cards available and more integrations available from the ServiceNow Store.

Question 7

What is ServiceNow Gold Standard Integration Traits? “Turn-Key”

Answer 7

Enterprise Scale - Work Closely with vendors to get the right architecture for enterprise scale.

Customer Focused - Work Closely with customer to get the right use cases and Early access validation

Robust - Developed right with the 3rd party product API’s

Standardized - Standardized the design for similar integrations

Question 8

Splunk is a commonly-used Application. The customer’s Splunk dashboard is who’s responsibility?

Answer 8

The customer

Question 9

Splunk is a commonly-used Application. The customer’s Splunk dashboard is who’s responsibility?

Answer 9

The customer

Question 10

Splunk integration configuration is performed within Splunk’s platform. Who is responsible for activating it?

Answer 10

Splunk SME

Question 11

The setup procedures for Splunk onto the ServiceNow platform are?

Answer 11

1. Downloading the add-on file in Splunk
2. Installing the Add-on
3. Setting the ServiceNow instance where security incidents and events are created

Question 12

Carbon Black, opposite of Splunk integration, is completely done within the ServiceNow platform and only requires what from the customer?

Answer 12

API Key

Question 13

What Does DLP stand for?

Answer 13

Data Loss Prevention

Question 14

Data Loss Prevention Incident Response Benefits

Answer 14

1. Integrate with multiple 3rd party DLP solutions to gain a unified view of the incidents in the Now Platform.
2. Monitor and assign incidents to the end users to that you can streamline DLP incident management.
3. Coach your employees through the customized email templates and notifications that are sent for each incident as well as in the form of a digest
4. Escalate the over due DLP incidents from the end users to the managers.
5. View summary reports of open incidents by policy, severity, top-offenders, and so on
6. Track DLP incidents trends, false positive trends, and remediation trends.

Question 15

What is MISP?

Answer 15

Malware Information Sharing Platform - lets you exchange and share threat intelligence and Indicators of Compromise IoCs about the targeted malware and attacks within your community of trusted members. You can also share your MISP information with private or open communities. By exchanging MISP information, you can investigate targeted attacks faster, improve the section ratio, and reduce the number of false positives in your environment.

Question 16

key features to Malware Information Sharing Platform (MISP)

Answer 16

• Connect to private and public MISP Instance
• Support manual and automatic sighting search of Observables
• Run sighting search from case management
• Report or update sightings to an attribute:
  - Report an observable as a sighting (global), a false positive (global), as expired
• Support manual and automatic observable enrichment. Results include the MISP attribute and event infromation that is associated with the observable.
• Attribute enrichment in MISP which includes adding or updating tags, galaxies, or comments
• Event creation in MISP from SIR; Supports manual and automatic creation of events in MISP from SIR
• Update a MISP event from SIR which includes adding or updating tags, galaxies, or attributes
• add security incident associated observables as attributes to a MISP event
• Auto-extract MITRE ATT&CK information from MISP attributes and associate the information to SIR security Incidents
• Automatically add SIR MITRE ATT&CK information as galaxies to a MISP event.

Question 17

Malware Information Sharing Platform MISP key concepts

Answer 17

1. MISP is a Threat Intelligence Platform
2. MISP is a threat Intelligence Management TIM
3. MISP data Layer
4. MISP context Layer
5. Indicators contain a pattern used for section
6. Attributes in MISP can be network or system indicators, or even bank account details.

Question 18

MISP Data Layers are?

Answer 18

Events are encapsulations for contextually linked information

Attributes are individual data points, which can be indicators or supporting data

Objects are custom template attribute compositions

Object references are the relationships between the other building blocks

Sightings are time-specific occurrences of a detected data-point

Question 19

MISP is a Threat Intelligence Platform (TIP) what can you TIP for?

Answer 19

To collect, Correlate, categorize, share, and integrate security threat data in real time to support the prioritization of actions and aid in attack prevention, detection, and response.

Question 20

What are the MISP context layers?

Answer 20

Tags are labels that are attached to events or attributes and may come from taxonomies

Galaxy-clusters are knowledge base items that you can use to label events or attributes that come from galaxies

Cluster relationships denote pre-defined relationships between customers.

Question 21

After upgrades and deployments of new applications or integrations what is a good practice?

Answer 21

Run a quick start test for SIR

Question 22

What do customers need to use ServiceNow Store?

Answer 22

Hi account.
Key notes
Customers should not decide to install free integration on their instance then enquire how to obtain and use the vendor product it integrates to

Many of these Third party products require initial complex setup and ongoing support from skilled internal resources; Their decision to obtain and use a new and unfamiliar product should not be based upon the fact an integration exists for it

Question 23

Alternative location for applications other than the SN store is what?

Answer 23

ServiceNow Share at developer.servicenow.com/app.do!/share

Please note
These applications are untested, uncertified, and unsupported by SN. SN is not responsible for any damage or adverse impact caused.

Question 24

What is REST API Explorer used for

Answer 24

The REST API Explorer uses information from an instance to provide a list of endpoints, methods, and variables.

side note
In order to build and send a REST request either to query and retrieve platform date or to modify data, such as inserting new records or amending data in existing ones.