Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Set up Trusted Security Circles

Set up Trusted Security Circles

Before using Trusted Security Circles, you must set up the application. This process includes identifying the location of the Trusted Security Circles Central instance, setting parameters for communicating with this instance, and defining sightings thresholds for observables derived from both internally- and externally-generated threat intelligence.

The setup you perform depends on whether you intend to use domain separation.

Activate the Trusted Security Circles Client

Two versions of Trusted Security Circles are available. The basic level of Trusted Security Circles is activated automatically when you activate Security Incident Response. Trusted Security Circles Client (Advanced) is available as a separate subscription. It provides the capabilities of the basic level, along with the ability to join any available trusted circle and initiate an unlimited number of threat shares per day.

Before you begin

If you are installing either version of Trusted Security Circles on an instance other than prod or subprod (for example, on a demo instance), you must manually activate the appropriate Trusted Circles plugins and register the client to the central instance.
Note: If you are using domain separation, it is important that you request the Domain Support - Domain Extensions plugin from the Service Catalog and activate it before activating Trusted Security Circles.

Role required: admin

About this task

Trusted Security Circles Client (Advanced) activates the following plugins if they are not already active. Additionally, it registers the instance running the client with the central instance. This includes creating both the instance administrator and an anonymous profile. It also adds the client instance as a member of the default public Trusted Security Circle (named ServiceNow).
Table 1. Plugins for Trusted Security Circles Client (Advanced)
Plugin Description
Trusted Security Circles Client

[com.snc.intel_sharing.client]

Integrates Trusted Security Circles with Threat Intelligence. This plugin is responsible for displaying group membership within the ServiceNow platform and for keeping Trusted Security Circles membership information up-to-date. It is also responsible for sending messages to the central instance and receiving messages from this instance.
Threat Core

[com.snc.threat]

Integrates Trusted Security Circles with Threat Intelligence and other Security Operations applications.

To purchase a subscription, contact your ServiceNow account manager. After purchasing the subscription, activate the plugin within the production instance.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

Register the Trusted Security Circles client to the central instance

After either the Basic or Advanced versions of Trusted Security Circles has been activated, you must register the Trusted Security Circles client to the central instance.

Before you begin

If you have installed domain separation, you must manually register the Trusted Security Circle central instance for each of your domains.

Role required: sn_tis_admin

Procedure

  1. If it is not already activated, active the appropriate level of Trusted Security Circles.
  2. Navigate to Trusted Security Circles > Registration.
  3. Click Register.
  4. You can verify that the registration completed successfully by navigating to Trusted Security Circles > Circles. You should see a list of available Trusted Security Circles.

Set Trusted Security Circles properties

Trusted Security Circles properties allow you to set the URL to the ServiceNow instance the application uses as the central repository for sharing threat information with other trusted security circle customers.

Before you begin

Role required: sn_tis.admin

Procedure

  1. Type sys_properties.list in the navigation filter and press Return.
  2. Set the following properties, as needed.
    Field Description
    Automatically share the results of a sightings search to the default ServiceNow trusted circle

    [sn_tis.auto_share_sighting_searches]

    Set to true to automatically share the results of a sighting search to the default ServiceNow trusted circle.
    Include observables with no local sightings when automatically sharing sighting search results

    sn_tis.auto_share_zero_sightings

    Set to true to include observables with no local sightings when automatically sharing sighting search results.
    Respond with local sightings whenever a threat share is received from a trusted circle

    sn_tis.threat_share_responses

    Set to true to respond with local sightings whenever a threat share is received from a trusted circle.

Join a Trusted Security Circle

A user with the Advanced client can join a trusted security circle by selecting a circle from a list and specifying a profile.

Before you begin

Role required: sn_tis.admin

Procedure

  1. Navigate to Trusted Security Circles > Circles.
  2. Select the circle you want to join.
    Trusted circle
  3. Click Join.
    New member
  4. In the Profile field, select the profile that belongs to the trusted circle.
  5. Click Submit.

Create a Trusted Security Circles profile

When you first register a Trusted Security Circle to the central instance, two profiles are automatically created: Instance Admin and Anonymous. Instance Admin is used for administrative interactions with central. The Anonymous profile is automatically joined to the global ServiceNow Trusted Security Circle. If needed, you can create additional profiles and give them whatever names you want.

Before you begin

Role required: sn_tis_admin

Procedure

  1. Navigate to Trusted Circles > Profiles.
  2. ClickNew.
  3. Fill in the fields, as needed.
    Table 2. Profiles
    Field Description
    Name Enter a name for the profile.
    Anonymous This field determines whether the profile is associated with the instance name at central. If a profile is marked as anonymous, there is no linkage to identify the instance it came from.
    Automatic Sighting Searches

    Indicates whether shared threat intelligence is automatically queried against your internal SIEMs for every circle for which the profile is a member.

    Active Displays whether the profile is active.
    Instance Admin This field identifies this profile as an Instance Admin profile, which is automatically created by the system. It is used for administrative access to the central system. This field cannot be modified.
    Internal Denotes whether this profile belongs to this instance. This field is set by the system and cannot be modified.
  4. Click Submit.

Configure the sightings threshold

Sightings thresholds are used to determine whether a set of observables from a threat intelligence source merit being shared with a Trusted Security Circles. Only sightings whose counts exceed the specified threshold value are used to create automatic security incidents for the indicated circle.

Before you begin

Role required: sn_tis.admin

Procedure

  1. Navigate to Trusted Security Circles > Sightings Thresholds.
    The Sightings Thresholds list opens.
  2. Click New.
    The Sightings Threshold screen opens.
    Adding a new sighting threshold record
  3. Fill in the fields as appropriate.
    Field Description
    Sightings Search Source Select the threat intelligence source to be analyzed.
    Circle Select the Trusted Security Circles with which you want to share the threat sightings.
    Threshold Enter the maximum number of sightings of a suspicious observable that are tolerated in your environment. Only observables with a sighting count greater than this value are used to create automatic security incidents for the specified circle.
  4. Click Submit.