Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.

Close
Thank you for your feedback.

Define a threat source

Define a threat source

You can maintain a list of Threat Intelligence threat sources. Each source includes the ability to define how often a source is queried. You can also execute a threat source on demand to import the needed Structured Threat Information eXpression (STIX) data.

Before you begin

Threat Intelligence employs two technologies for importing threat-related information: STIX and Trusted Automated Exchange of Indicator Information (TAXII).

STIX provides a standardized, structured language for representing an extensive set of cyber threat information that includes indicators of compromise (IoC) activity (for example, IP addresses and file hashes), as well as contextual information regarding threats, such as attack modes/methods, that together more completely characterize the motivations, capabilities, and activities of a cyber adversary. As such, STIX data provides valuable information on how your organization can best to defend against cyber threats.

Trusted Automated Exchange of Indicator Information (TAXII) is used to facilitate automated exchange of cyber threat information. TAXII defines a set of services and message exchanges that enable sharing of actionable cyber threat information across organization and product/service boundaries for the detection, prevention, and mitigation of cyber threats. TAXII profiles can be set up as repositories for sharing STIX-formatted information. Each profile contains one or more TAXII collections or feeds.

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > Sources > Threat Sources.

  2. Click New.

  3. Fill in the fields on the form, as appropriate.

    FieldDescription
    NameThe name of the threat source.
    ApplicationThe application that contains this record.
    ActiveSelect this check box to activate the threat source.
    AdvancedSelect this check box to display the scripts in the Integration factory script and Report processor fields.
    DescriptionA description of this threat source.

  4. Fill in the fields in the Schedule section, as appropriate.

    FieldDescription
    RunThe frequency you want the integration to run, Daily, Weekly, Periodically, and so on. As noted, subsequent fields are displayed based on the setting of this field.
    DayThe day you want the integration to run.
    • If you selected Weekly in the Run field, this field displays the days of the week.
    • If you selected Monthly in the Run field, this field displays the days of the month.
    TimeThe time you want the integration to start.
    Repeat IntervalIf you selected Periodically in the Run field, this field displays the number of days and hours before the integration runs again.
    StartingIf you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates.
    ConditionalSelect this field if you want to add conditional parameters.
    ConditionIf you selected the Conditional check box, enter the conditions here.

  5. Fill in the fields in the Threat Details section, as appropriate.

    FieldDescription
    IndicatorThe indicator to use when the data does not explicitly provide one. For blocklists, if empty, a new indicator is created for each observable.
    Indicator typeThe indicator type to use for indicators that are created and the data does not explicitly provide an indicator type.
    Attack Mode/MethodThe attack mode/method to use when the data does not explicitly provide one.
    Observable TypeThe observable type to use for observables that are created and the data does not explicitly provide an observable type.[SI1]
    WeightEnter a weight value for this source to be used in the confidence calculation.
    Note: The usage of the Indicator, Indicator Type, Attack Mode/Method, and Observable Type fields is implementation-specific. The default processor, SimpleBlocklistProcessor, behaves as the hints describe. However, a TAXII threat source is fully data driven. Any custom threat source processor would be able to use its own strategy. These fields are basically items to expose to the integration/processor and the implementation decides how to use them.

  6. Fill in the fields in the Source Details section, as appropriate.

    FieldDescription
    EndpointEnter the web service endpoint URL where the threat source is accessed by Threat Intelligence. Click the lock icon to lock the URL.
    Use REST MessageIf you require a REST message to access the threat source, select this check box. The REST message and REST method fields become mandatory.
    REST messageClick the lookup icon, and select the REST message from the list or click New to define a new REST message.
    REST methodClick the lookup icon, and select the REST method from the list or click New to define a new REST method.
    Integration scriptThe default integration script is SimpleRESTSecurityDataIntegration. It runs a simple REST call, saves the response as an attachment, and then returns the attachment to the processor. This script meets the needs of most organizations. But if you want, you can click the lookup icon, and select a different integration script or define a new one.
    Integration factory scriptIf the Advanced check box is selected, this field displays the actual script for constructing the integration script. You can edit the script as needed. This ability is useful for custom implementations. Integrations in the base system usually do not need any custom constructor logic.
    Report processorThe default integration script is SimpleBlocklistProcessor. This script is a simple processor that accepts a simple blocklist (simple, meaning a single column document with observables such as URLs or IP addresses) and creates observables. It uses the various Threat Details fields to determine which fields to set when observables are created.
    Processor factory scriptIf the Advanced check box is selected, this field displays the actual script for constructing the processor. You can edit the script as needed. This script is generally useful for custom implementations. The integrations in the base system usually do not need custom constructor logic.

  7. Click Submit.

Products > Security Operations > Threat Intelligence; Versions > Istanbul