Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Set up Threat Intelligence

Log in to subscribe to topics and get notified when content changes.

Set up Threat Intelligence

Before Threat Intelligence can be used, activate the plugin and then configure how you want the application to function.

Activate Threat Intelligence (pre-London Patch 6)

For versions prior to London Patch 6: The Threat Intelligence plugin is available as a separate subscription. Unless the Security Incident Response plugin is activated, some workflow and threat functionality is not available. You can activate Security Incident Response before or after Threat Intelligence activation.

Before you begin

Role required: admin

About this task

Threat Intelligence activates this related plugin if it is not already active.
Table 1. Plugins for Threat Intelligence
Plugin Description
Security Support Orchestration

[com.snc.secops.orchestration]

Integrates Security Operations with Orchestration and enables workflow activities within Security Incident Response, Threat Intelligence, or Vulnerability Response.

To purchase a subscription, contact your ServiceNow account manager. After purchasing the subscription, activate the plugin within the production instance.

Procedure

  1. Navigate to System Definition > Plugins.
  2. Find and click the plugin name.
  3. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link.

    If the plugin depends on other plugins, these plugins are listed along with their activation status.

    If the plugin has optional features that depend on other plugins, those plugins are listed under Some files will not be loaded because these plugins are inactive. The optional features are not installed until the listed plugins are installed (before or after the installation of the current plugin).

  4. (Optional) If available, select the Load demo data check box.

    Some plugins include demo data—Sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good practice when you first activate the plugin on a development or test instance.

    You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form.

  5. Click Activate.

Components installed with Threat Intelligence

Several types of components are installed with activation of the Threat Intelligence plugin, including tables and user roles.

Note: To view all other components installed with this plugin, see the Application Files table. For instructions, see Find components installed with an application.

Demo data is available for this feature.

Roles installed

Role title [name] Description Contains roles
Threat Administrator

[sn_ti.admin]

Has full control over all threat properties, SLAs, and notifications.
  • sn_ti.write
Threat Reader

[sn_ti.read]

Has read access to threat information.
  • sn.sec_cmn.int_read
Threat Writer

[sn_ti.write]

Has write access to threat information.

Cannot delete attack modes, indicators nor observables. Only a Threat Administrator can delete them.

  • sn_sec_cmn.int_write
  • sn_ti.read

Tables installed

Table Description
Attack mechanism

[sn_ti_attack_mechanism]

Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system.
Attack mode/method

[sn_ti_attack_mode]

Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail.
Discovery method

[sn_ti_discovery_method]

An expression of how an incident was discovered.
Feed

[sn_ti_feed]

Used for configuring the Threat Feed (RSS) in the Threat Overview.
Indicator Attack mode/method

[sn_ti_m2m_indicator_attack_mode]

Used to map attack modes/methods to indicators.
Indicator of Compromise

[sn_ti_indicator]

Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.
Indicator of Compromise Metadata

[sn_ti_indicator_metadata]

Used to populate TAXII records.
Indicator Source

[sn_ti_m2m_indicator_source]

Used to collect all the sources reporting the specific indicator.
Indicator Type

[sn_ti_indicator_type]

Characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it is acted on, and so on.
Associated Indicator Type

[sn_ti_m2m_indicator_indicator_type]

Links indicators with their applicable types
Incident count

[sn_ti_observable]

Number of security incidents associated with an observable.
Intended effect

[sn_ti_intended_effect]

Used for expressing the intended effect of a threat actor.
IP Scan Result

[sn_ti_ip_result]

Used to show the results of an IP lookup.
Malware Rate limit

[sn_ti_rate_limit]

Defines a rate limit to be used on a lookup source.
Malware Scan

[sn_ti_scan]

A lookup. Contains what to look up, with what lookup source, and a summary of the lookup results.
Malware Scan Queue Entry

[sn_ti_scan_q_entry]

A lookup record queued for lookup or processing. Facilitates the requests within stated rate limits.
Malware Scan Result

[sn_ti_scan_result]

Displays the result of a lookup.
Malware Scanner

[sn_ti_scanner]

Defines third-party lookup sources to use in performing lookups.
Malware Scanner Rate Limit

[sn_ti_scanner_rate_limit]

Associates a lookup source with a rate limit.
Malware Type

[sn_ti_malware_type]

Used for expressing the types of malware instances.
Observable

[sn_ti_observable]

Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks.
Observable Context Type

[sn_ti_observable_context_type]

Stores the context (source, destination of an IP address, and so forth) for an observable.
Observable Indicator

[sn_ti_m2m_observable_indicator]

Used to relate observables to indicators.
Observable Source

[sn_ti_observable_source]

Used to relate observables to threat sources.
Observable Type

[sn_ti_observable_type]

Lists the various types of observables, such as IP addresses.
Observable Type Category

[sn_ti_observable_type_category]

Stores the first categorization of observables (for example, IP addresses and URLs). It is used for more accurately determining observable types.
Related attack mode/method

[sn_ti_m2m_attack_mode_attack_mode]

Used to relate attack modes to each other.
Related Observables

[sn_ti_m2m_observables]

Used to relate observables to each other.
Scan type

[sn_ti_scan_type]

The definition of a lookup type, with initial records for File, URL, and IP.
Security Case

[sn_ti_case]

Stores security case records created using Case Management.
Security Case IoC

[sn_ti_case_ioc]

Used to manage the relationship between observables and cases.
Security Case Related Task

[sn_ti_m2m_case_task]

Used to manage the relationship between tasks (security incidents, change requests, and so forth) with security cases.
Security Case Relationship Exclusion

[sn_ti_case_relationship_exclusion]

Provides the definition of inclusion and exclusion of related records in security cases.
Sighting

[sn_ti_sighting]

The m2m link between the observable and the Sightings Search detail result used in the execution of a Sighting Search request.
Sighting Configuration Items

[sn_ti_m2m_sighting_ci]

Maps configuration items to a Sightings Search.
Sighting Search Detail

[sn_ti_sighting_search_detail]

Details of a Sighting Search for example the number of internal external items found.
Sighting Search Result

[sn_ti_sighting_search]

The header for a Sightings Search execution.
Supported Observable Types

[sn_ti_m2m_ind_type_obs_type]

Relates indicator types to valid observable types.
Supported Scan Type

[sn_ti_supported_scan_type]

Maps the lookup type to a lookup source/vendor-specific implementation. Indicates that a specific lookup source supports the type.
Task Attack mode/method

[sn_ti_m2m_task_attack_mode]

Relates attack modes to tasks.
Task Indicator

[sn_ti_m2m_task_indicator]

Relates indicators to tasks.
Task Observable

[sn_ti_m2m_task_observable]

Relates observables to tasks.
Task Sighting

[sn_ti_m2m_task_sighting]

Stores task records (security incidents and cases) related to a sighting record.
TAXII Collection

[sn_ti_taxii_collection]

Defines a cyber-risk intelligence feed that can be imported by a TAXII server.
TAXII Profile

[sn_ti_taxii_profile]

Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections.
Threat Actor type

[sn_ti_threat_actor_type]

Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior.
Threat Intelligence Source

[sn_ti_source]

Defines a source for importing threat data.

Set Threat Intelligence properties

Threat Intelligence properties allow you to control how different aspects of the system function, including the setting of API keys.

Before you begin

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > Administration > Properties.
  2. Set the following properties, as needed.
    Table 2. Properties for Threat Intelligence
    Property Description
    The domain name to retrieve additional information for IP addresses/URLs

    sn_ti.ip_lookup.web_site

    The domain name to use for retrieving additional information into your IoC database. This property is used by the ThreatAdditionalInfo script include to populate additional information on the Observables form.
    • Type: String
    • Default value: http://api.ipinfodb.com/v3/ip-country/
    • Location: Threat Intelligence > Administration > Properties
    Note: The pinfodb.com third-party API is available at no extra charge and used in many commercial software programs. If you replace it with a different domain name, you must also provide the API key in the next field.
    The API key to be used for the domain, if any

    sn_ti.ip_lookup.api_key

    The API key to use for retrieving additional information into your IoC database. This property is used (along with the sn_ti.ip_lookup.web_site property) by the ThreatAdditionalInfo script include to populate additional information on the Observables form.
    • Type: String
    • Default value: none
    • Location: Threat Intelligence > Administration > Properties
    For file lookups from lookup requests, lookup only their hash values.

    sn_ti.scan.use_file_hash

    For threat file scans, delete an attachment if malware was detected.

    sn_ti.scan.delete_attachment_on_detection

    For threat hash scans, delete an attachment after it has been hashed.

    sn_ti.scan.delete_attachment_after_hash

    Lookup local IoC tables before sending to remote scanner

    sn_ti.scan_ioc_before_sending

    If set to True, the Observable [sn_ti_observable] table is checked against the lookup request for a matching value. If a match is found (that is, the same IP address, URL, or hash file value exists), the lookup result is populated from information in the Observable [sn_ti_observable] table. This setting prevents unneeded lookups. In the lookup request, the State field is set to Complete, the Result field is set to Failed, and the Internally populated field is set to True.

    If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally.

    • Type: Yes | No
    • Default value: Yes
    • Location: Threat Intelligence > Administration > Properties
    Number of days local Observables are considered

    sn_ti.scan_ioc_num_days

    If the Lookup local IoC tables before sending to lookup source property is set to True, observables that were updated in the past number of days specified in this property is compared with the value in the lookup.

    If a match is found within the specified number of days, or if an attachment in the lookup exists in an IoC observable, the lookup is not performed. The State field is set to Complete, and the Result field is set to Failed.

    If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally.

    • Type: integer
    • Default value: 30
    • Location: Threat Intelligence > Administration > Properties
    When an attack mode/method has not been received from any source for the specified number of days, mark it as inactive

    sn_ti.attack_mode_inactivate_days

    Number of days from when an attack mode/method was last received for the record to be marked inactive.

    • Type: integer
    • Default value: 360
    • Location: Threat Intelligence > Administration > Properties
    Note: The Active check box is not visible on the Attack mode/method form by default. However, you can add it. When attack modes/methods are inactive, they cannot be selected on other forms.
    When an indicator has not been received from any source for the specified number of days, mark it as inactive

    sn_ti.indicator_inactivate_days

    Number of days from when an indicator was last received for the record to be marked inactive.

    • Type: integer
    • Default value: 180
    • Location: Threat Intelligence > Administration > Properties
    Note: The Active check box is not visible on the Indicator form by default. However, you can add it. When indicators are inactive, they cannot be selected on other forms.
  3. Click Save.

Define a threat source

You can maintain a list of Threat Intelligence threat sources. Each source includes the ability to define how often a source is queried. You can also execute a threat source on demand to import the needed Structured Threat Information eXpression (STIX) data.

Before you begin

Threat Intelligence employs two technologies for importing threat-related information: STIX and Trusted Automated Exchange of Indicator Information (TAXII).

STIX provides a standardized, structured language for representing an extensive set of cyber threat information that includes indicators of compromise (IoC) activity (for example, IP addresses and file hashes), as well as contextual information regarding threats, such as attack modes/methods, that together more completely characterize the motivations, capabilities, and activities of a cyber adversary. As such, STIX data provides valuable information on how your organization can best to defend against cyber threats.

Trusted Automated Exchange of Indicator Information (TAXII) is used to facilitate automated exchange of cyber threat information. TAXII defines a set of services and message exchanges that enable sharing of actionable cyber threat information across organization and product/service boundaries for the detection, prevention, and mitigation of cyber threats. TAXII profiles can be set up as repositories for sharing STIX-formatted information. Each profile contains one or more TAXII collections or feeds.

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > Sources > Threat Sources.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Name The name of the threat source.
    Application The application that contains this record.
    Active Select this check box to activate the threat source.
    Advanced Select this check box to display the scripts in the Integration factory script and Report processor fields.
    Description A description of this threat source.
  4. Fill in the fields in the Schedule section, as appropriate.
    Field Description
    Run The frequency you want the integration to run, Daily, Weekly, Periodically, and so on. As noted, subsequent fields are displayed based on the setting of this field.
    Day The day you want the integration to run.
    • If you selected Weekly in the Run field, this field displays the days of the week.
    • If you selected Monthly in the Run field, this field displays the days of the month.
    Time The time you want the integration to start.
    Repeat Interval If you selected Periodically in the Run field, this field displays the number of days and hours before the integration runs again.
    Starting If you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates.
    Conditional Select this field if you want to add conditional parameters.
    Condition If you selected the Conditional check box, enter the conditions here.
  5. Fill in the fields in the Threat Details section, as appropriate.
    Field Description
    Indicator The indicator to use when the data does not explicitly provide one. For blocklists, if empty, a new indicator is created for each observable.
    Indicator type The indicator type to use for indicators that are created and the data does not explicitly provide an indicator type.
    Attack Mode/Method The attack mode/method to use when the data does not explicitly provide one.
    Observable Type The observable type to use for observables that are created and the data does not explicitly provide an observable type.[SI1]
    Weight Enter a weight value for this source to be used in the confidence calculation.
    Note: The usage of the Indicator, Indicator Type, Attack Mode/Method, and Observable Type fields is implementation-specific. The default processor, SimpleBlocklistProcessor, behaves as the hints describe. However, a TAXII threat source is fully data driven. Any custom threat source processor would be able to use its own strategy. These fields are basically items to expose to the integration/processor and the implementation decides how to use them.
  6. Fill in the fields in the Source Details section, as appropriate.
    Field Description
    Endpoint Enter the web service endpoint URL where the threat source is accessed by Threat Intelligence. Click the lock icon to lock the URL.
    Use REST Message If you require a REST message to access the threat source, select this check box. The REST message and REST method fields become mandatory.
    REST message Click the lookup icon, and select the REST message from the list or click New to define a new REST message.
    REST method Click the lookup icon, and select the REST method from the list or click New to define a new REST method.
    Integration script The default integration script is SimpleRESTSecurityDataIntegration. It runs a simple REST call, saves the response as an attachment, and then returns the attachment to the processor. This script meets the needs of most organizations. But if you want, you can click the lookup icon, and select a different integration script or define a new one.
    Integration factory script If the Advanced check box is selected, this field displays the actual script for constructing the integration script. You can edit the script as needed. This ability is useful for custom implementations. Integrations in the base system usually do not need any custom constructor logic.
    Report processor The default integration script is SimpleBlocklistProcessor. This script is a simple processor that accepts a simple blocklist (simple, meaning a single column document with observables such as URLs or IP addresses) and creates observables. It uses the various Threat Details fields to determine which fields to set when observables are created.
    Processor factory script If the Advanced check box is selected, this field displays the actual script for constructing the processor. You can edit the script as needed. This script is generally useful for custom implementations. The integrations in the base system usually do not need custom constructor logic.
  7. Click Submit.
Feedback