Home Orlando Security Incident Management Security Operations Security Operations common functionality Security Operations Integration Reference Integrations Capabilities framework 2.0

Integrations Capabilities framework 2.0

The new Integration Capabilities Framework 2.0 has been redesigned to enable implementation of integrations in a simple and consistent manner. This ensures a consistent experience for similar types of integrations (for example: observable reputation lookup). The new framework has capabilities implemented using Flows.

Benefits from the enhanced framework implementation include:

The capability flows that include only business level components without any implementation specific logic.
The capability flows now accept a broad array of inputs and formats for maximum flexibility (For example, observable references, CI references, tasks, any table or sys_id combinations).
Rate limiting or throttling on integration executions are now easy to configure (removing the need to do this using custom code or changes to implementation workflows).
Enhanced auditing and execution tracking capabilities now enable better reporting and easier troubleshooting.
Robust error handling functions are built into the capability flows to avoid duplicating implementation routines.
Ability to configure conditional triggering of the capabilities or the integrations. This provides flexibility to automatically launch automations based on incident category.
A default filter condition has been introduced on all capabilities to filter allow listed observables before inputs are provided to the integrations.

Note: This new capability framework does not upgrade the current capability framework. Both frameworks can work in parallel. For instructions on how to leverage the new capability framework, see Using the new Capability Framework with an installed integration and Using the new Capability Framework with a Flow.

Supported integrations and components

The Security Incident Response plugin includes all the capability flows listed in the integrations framework and standard high-level filters that you can enable or disable depending on your requirement.

Note: If you want to use the new Capability Integration Framework with the New York release, you must install the ServiceNow IntegrationHub Starter Pack Installer plugin. Contact Customer Support for assistance with the installation.

Supported application versions

Starting with Security Incident Response 10.0, the following integrations are supported:


Application	Minimum version required
Security Operations Hybrid Analysis Integration	10.0.0
Security Operations PhishTank Integration	10.0.0
Security Operations ThreatCrowd Integration	10.0.0
Security Operations CrowdStrike Intelligence Integration	10.0.0
Security Operations 'Have I been pwned?' Integration	10.0.0
Security Operations Metadefender Integration	10.0.0
Security Operations Recorded Future Integration	10.0.0
Security Operations VirusTotal Integration	10.0.0
Security Operations Reverse WhoIs Integration	10.0.0

Starting with Security Incident Response 10.4, the following integrations are supported:


Application	Minimum version required
Security Operations RiskIQ Integration	10.0.0
Security Operations Shodan Integration	10.0.0
Security Operations WhoIs Integration	10.0.0
Security Operations Carbon Black Integration	10.3.1
Security Operations Splunk Search Integration	10.3.0
Security Operations ArcSight Logger Integration	10.3.0
Security Operations McAfee ESM Integration	10.3.0
Security Operations Elasticsearch Integration	10.3.0
Security Operations IBM QRadar Integration	10.3.1
Security Operations CrowdStrike Falcon Host	10.3.0

Components included

The new Capability Integration Framework includes the following components:

Capabilities: All of the following capabilities that exist in the product today as workflows have been redesigned using Flows:
- Block Request: Provides a way to block observables associated with a security incident on a firewall, web proxy, or some other control point. This capability is used during incident response investigations to contain an identified threat.
- Email Search and Delete: Provides a way to search an email server during a security investigation and if necessary, delete emails from the server.
- Enrich Configuration Item: Provides a general way to enrich configuration items with additional information from a variety of sources. This capability is used during incident response investigations to enrich data associated with a security incident.
- Enrich Observable: Provides a general way to enrich observables with additional information from a variety of sources. This capability is used during incident response investigations to contain an identified threat.
- Event Ingestion: Provides a general way to create a security incident by mapping events from an integration source to a security incident.
- Get Network Statistics: Retrieves a list of active network connections from an endpoint or host. This capability is used for incident enrichment during investigations.
- Get Running Processes: Retrieves a list of running processes from an endpoint or host. This capability is used for incident enrichment during investigations.
- Isolate Host: Provides a way to isolate an endpoint or a host associated with a security incident. Isolate host is executed against a configuration item (CI).
- Publish to Watchlist: Provides a way to add observables associated with a security incident to a watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations.
- Sightings Search: Searches various SIEMs or other log stores for instances of observables. This capability is used to determine the presence of malicious IoCs in your environment.
- Threat Lookup: Performs threat intelligence lookups to determine whether a certain observable is associated with a known security threat. This capability is used as part of incident response during investigations.
New tables:
- sn_sec_cmn_capability: Capability and flow that implements the capability.
- sn_sec_cmn_capability_implementation: The actual implementation flow that provides the services of the capability.
- sn_sec_cmn_capability_execution: The execution record for a capability at runtime.
- sn_sec_cmn_capability_implementation_execution: The execution record for a capability implementation at runtime.
- sn_sec_cmn_filter_condition: The filter conditions that can be applied at runtime to the capability or a capability implementation.
Include script: CapabilityProcessor: Handles all the processing code for the framework.
Rate limit: Capability Max Concurrent Req Per Period: Defines how many integrations can be executed in parallel.
Scheduled job process capability implementation: Runs every 15 seconds and can be disabled in the Security Administration Properties page (Security Incident > Administration > Properties.
- Enables or Disables the scheduled job, Process Capability Implementations: This job automatically schedules and manages capability implementation execution flows.
- Enables or Disables Automated Lookups or Enrichments: Setting that activates or deactivates the scheduled job that performs automated threat lookup or enrichment of observables when observables are added to security incidents in the current capability framework.
- Enables or Disables the scheduled job, Lookup Security Incident Observables: This job automatically schedules a Threat Lookup or Enrich Observables job when observables are added to a security incident.

Configurations in the new Capability Framework

This section describes the configurations available in the new framework.

Navigate to Security Operations > Integrations > Capabilities.

Note: Version 10.4: Starting with Security Incident Response 10.4, the menu name Capabilities has been changed to Integration Capabilities (Flows).
The capabilities available with the base system are displayed.

Note:
These are the capabilities provided with the base system. You can use the capabilities, or you can customize them as required. The following steps describe how to configure a capability and the integrations implemented for the capability.
Click the link in the Name column to configure a capability. The Capability Implementations page is displayed.
The Name, Application, Description, and the Flow that the Capability implements is displayed. Select the Active check box to activate the capability.
- Filter conditions at the capability level: When an integration capability implements a flow, the filter conditions associated with the flow will be executed before the capability flow is launched. For example, the Threat Lookup capability includes the Filter Whitelisted Observables condition as shown above. Click on the Name link to edit the filter condition.
  Note: Select the Add worknote to task checkbox to add worknotes to include information on the filter conditions used.
  
  You can either define filter conditions or a script, or a combination of both. In the above example, a script is used to define the filter conditions. When the capability flow is executed, the script searches for whitelisted observables and removes them from the table.
  Note: The filter conditions set here are applicable to all active integrations defined in the Capability Implementations tab.
- Capability implementations: Click the Capability Implementations tab. The implementations (integrations) that have been configured for the capability are displayed. The example below shows the integrations configured for the Threat Lookup capability:

Click the Name link to view the Capability Implementation. The Name, Application, Description, and the Flow that the capability implements is displayed. Click the Active checkbox to activate the capability.
Capability flows: Threat Lookup: VirusTotal

Capability flows: Threat Lookup: VirusTotal

You can specify the following details:

Field Name	Description
Active	Select this check box to enable disable this integration. Note: If you configure this integration using the integration tile in the Security Operations > Integrations > Integrations Configurationspage, this flag is automatically set to Active.
Order	Indicates the order in which the integrations are executed.
Capability	The capability implemented by this integration.
Flow	The subflow that implements the capability.
Configuration	The integration configuration for this capability. Note: This is initially set to the default configuration provided with the base system. When an integration is configuring using the integration tile in the Integration Configurations page, this value is automatically reset to the new configuration created.
Rate Limit	Indicates the number of integrations that can be executed at run-time (in parallel or per unit of time).
Batch Inputs Size	The batch input size for each execution. For example, for a Sighting Search integration you may want to group the observables into batches of 50 so that the queries generated do not become too large. 0 indicates that there is no limit.
Timeout Period	The maximum duration before the capability implementation flow is cancelled. 0 indicates that there is no timeout period.
Total Requests	The total number of implementation execution requests. This field in conjunction with the Total Reqs Period field, can be used to limit the number of requests to the service. For example, you can limit the number to 4 requests per minute.
Total Reqs Period	The total number of execution requests allowed per period.
Retry Limit	The number of retries allowed for a failed execution request. This limit will be applicable if the Retry flag is set in your integration to retry an execution request when a condition is met. For example, a retry request is made when you have exceeded your license limit for that service for a time period or the service is down.
Retry After	The period after which an attempt is made to retry a failed execution request.
Max Concurrent Reqs	The maximum number of concurrent implementation execution requests. 0 indicates no limit.
Sighting Search Configurations	The default sighting search queries that can be executed.

Click the Name link in the Filter Conditions section to configure the conditions defined for the implementation. Add or delete filter conditions, modify the script if required and update the record.
Capability flows: Threat Lookup: VirusTotal: filter condition

Capability flows: Threat Lookup: VirusTotal: filter condition

Using the new Capability Framework with an installed integration

This section describes how to use the new framework for an existing integration.

Use the steps below to enable an already installed and configured integration (see supported list of Integrations in Supported integrations and components) to use the new capability framework.

Note: Integration Capability Framework 2.0 available with Security Incident Response 10.0.2 supports implementations for the Threat Lookup and Enrich Observable capabilities. Implementations for other capabilities will be made available in a future release.

Before you begin

Role required: sn_si.admin
Security Incident Response 10.0.2

Navigate to Security Operations > Integrations > Capabilities.
Click on Threat Lookup capability.
Click the Capabilities Implementation tab.
4. View the Capability Implementation record for the integration of interest (example: Crowdstrike Falcon Intelligence). The Active column should have the value as False.
Click the Name link to view the implementation record.
Select the Active check box.
Ensure the implementation record is pointing to the right configuration record (the tile name for the integration in Integration Configurations > Show Configurations (Yes)).
The implementation is enabled for use with the new framework.

Note: All supported Integrations when installed with Security Incident Response 10.0.2 will automatically be enabled under the new Integration Capability framework.

Using the new Capability Framework with a Flow

Use the steps below to create a flow and call the subflow provided by the new capability framework.

Before you begin

Role required: sn_si.admin, flow_designer, action_designer
Install one of the supported integrations (see Supported integrations and components)

The steps below describe how to create a sample flow and call one of the subflows provided with the new capability framework.

Procedure

1. Navigate to Flow Designer > Designer.
Click New to create a new flow and provide the necessary information for the properties.

Note: Select System User in the Run As choice list as shown in the above image.
Select a Trigger condition for the flow (a common trigger is the creation of a security incident record for a certain incident category).
In step 1 of the flow, select an action to get inputs from the security incident (for example, observables). You can select an action from the actions provided with the base system with the Security Support Common Spoke.
In step 2, select a subflow (for example, Threat Lookup).
Configure the subflow you have selected as shown below:
Save and publish the flow.

Troubleshooting Integration Capability flows

The Capability Executions option provides detailed information on each capability that has been executed.

Note: Completed executions are archived after 30 days.

Navigate to Security Operations > Integrations > Capability Executions..

Capability Framework: Capability Executions

Click on the Capability Executions link to view additional details.

Security Incident Record Worknotes

When observables have been added to a security incident and the trigger condition for the flow is met, the Threat Lookup and Enrich Observable subflows are initiated and the following work notes are added to the security incident:

Flow execution started: Security Operations Integration - Enrich Observable V1
Flow execution completed: Security Operations Integration - Enrich Observable V1
Flow execution started: Security Operations Integration – Threat Lookup V1
Flow execution completed: Security Operations Integration – Threat Lookup V1

To view these worknotes, login as a user with the sn_si.admin or sn_si.analyst, and flow_designer, and action_designer roles.

Navigate to the security incident record page and click on these worknotes to view the flow execution details.
Capability Framework: Security Incident: Worknotes

Capability Framework: Security Incident: Worknotes

Previous topic

Next topic

Release version

Integrations Capabilities framework 2.0

Benefits from the enhanced framework implementation include:

The capability flows that include only business level components without any implementation specific logic.
The capability flows now accept a broad array of inputs and formats for maximum flexibility (For example, observable references, CI references, tasks, any table or sys_id combinations).
Rate limiting or throttling on integration executions are now easy to configure (removing the need to do this using custom code or changes to implementation workflows).
Enhanced auditing and execution tracking capabilities now enable better reporting and easier troubleshooting.
Robust error handling functions are built into the capability flows to avoid duplicating implementation routines.
Ability to configure conditional triggering of the capabilities or the integrations. This provides flexibility to automatically launch automations based on incident category.
A default filter condition has been introduced on all capabilities to filter allow listed observables before inputs are provided to the integrations.

Supported integrations and components

Supported application versions

Starting with Security Incident Response 10.0, the following integrations are supported:


Application	Minimum version required
Security Operations Hybrid Analysis Integration	10.0.0
Security Operations PhishTank Integration	10.0.0
Security Operations ThreatCrowd Integration	10.0.0
Security Operations CrowdStrike Intelligence Integration	10.0.0
Security Operations 'Have I been pwned?' Integration	10.0.0
Security Operations Metadefender Integration	10.0.0
Security Operations Recorded Future Integration	10.0.0
Security Operations VirusTotal Integration	10.0.0
Security Operations Reverse WhoIs Integration	10.0.0

Starting with Security Incident Response 10.4, the following integrations are supported:


Application	Minimum version required
Security Operations RiskIQ Integration	10.0.0
Security Operations Shodan Integration	10.0.0
Security Operations WhoIs Integration	10.0.0
Security Operations Carbon Black Integration	10.3.1
Security Operations Splunk Search Integration	10.3.0
Security Operations ArcSight Logger Integration	10.3.0
Security Operations McAfee ESM Integration	10.3.0
Security Operations Elasticsearch Integration	10.3.0
Security Operations IBM QRadar Integration	10.3.1
Security Operations CrowdStrike Falcon Host	10.3.0

Components included

The new Capability Integration Framework includes the following components:

Capabilities: All of the following capabilities that exist in the product today as workflows have been redesigned using Flows:
- Block Request: Provides a way to block observables associated with a security incident on a firewall, web proxy, or some other control point. This capability is used during incident response investigations to contain an identified threat.
- Email Search and Delete: Provides a way to search an email server during a security investigation and if necessary, delete emails from the server.
- Enrich Configuration Item: Provides a general way to enrich configuration items with additional information from a variety of sources. This capability is used during incident response investigations to enrich data associated with a security incident.
- Enrich Observable: Provides a general way to enrich observables with additional information from a variety of sources. This capability is used during incident response investigations to contain an identified threat.
- Event Ingestion: Provides a general way to create a security incident by mapping events from an integration source to a security incident.
- Get Network Statistics: Retrieves a list of active network connections from an endpoint or host. This capability is used for incident enrichment during investigations.
- Get Running Processes: Retrieves a list of running processes from an endpoint or host. This capability is used for incident enrichment during investigations.
- Isolate Host: Provides a way to isolate an endpoint or a host associated with a security incident. Isolate host is executed against a configuration item (CI).
- Publish to Watchlist: Provides a way to add observables associated with a security incident to a watchlist that monitors for security events and generates alerts. This capability is used as part of incident response during investigations.
- Sightings Search: Searches various SIEMs or other log stores for instances of observables. This capability is used to determine the presence of malicious IoCs in your environment.
- Threat Lookup: Performs threat intelligence lookups to determine whether a certain observable is associated with a known security threat. This capability is used as part of incident response during investigations.
New tables:
- sn_sec_cmn_capability: Capability and flow that implements the capability.
- sn_sec_cmn_capability_implementation: The actual implementation flow that provides the services of the capability.
- sn_sec_cmn_capability_execution: The execution record for a capability at runtime.
- sn_sec_cmn_capability_implementation_execution: The execution record for a capability implementation at runtime.
- sn_sec_cmn_filter_condition: The filter conditions that can be applied at runtime to the capability or a capability implementation.
Include script: CapabilityProcessor: Handles all the processing code for the framework.
Rate limit: Capability Max Concurrent Req Per Period: Defines how many integrations can be executed in parallel.
Scheduled job process capability implementation: Runs every 15 seconds and can be disabled in the Security Administration Properties page (Security Incident > Administration > Properties.
- Enables or Disables the scheduled job, Process Capability Implementations: This job automatically schedules and manages capability implementation execution flows.
- Enables or Disables Automated Lookups or Enrichments: Setting that activates or deactivates the scheduled job that performs automated threat lookup or enrichment of observables when observables are added to security incidents in the current capability framework.
- Enables or Disables the scheduled job, Lookup Security Incident Observables: This job automatically schedules a Threat Lookup or Enrich Observables job when observables are added to a security incident.

Configurations in the new Capability Framework

This section describes the configurations available in the new framework.

Navigate to Security Operations > Integrations > Capabilities.

Note: Version 10.4: Starting with Security Incident Response 10.4, the menu name Capabilities has been changed to Integration Capabilities (Flows).
The capabilities available with the base system are displayed.

Note:
These are the capabilities provided with the base system. You can use the capabilities, or you can customize them as required. The following steps describe how to configure a capability and the integrations implemented for the capability.
Click the link in the Name column to configure a capability. The Capability Implementations page is displayed.
The Name, Application, Description, and the Flow that the Capability implements is displayed. Select the Active check box to activate the capability.
- Filter conditions at the capability level: When an integration capability implements a flow, the filter conditions associated with the flow will be executed before the capability flow is launched. For example, the Threat Lookup capability includes the Filter Whitelisted Observables condition as shown above. Click on the Name link to edit the filter condition.
  Note: Select the Add worknote to task checkbox to add worknotes to include information on the filter conditions used.
  
  You can either define filter conditions or a script, or a combination of both. In the above example, a script is used to define the filter conditions. When the capability flow is executed, the script searches for whitelisted observables and removes them from the table.
  Note: The filter conditions set here are applicable to all active integrations defined in the Capability Implementations tab.
- Capability implementations: Click the Capability Implementations tab. The implementations (integrations) that have been configured for the capability are displayed. The example below shows the integrations configured for the Threat Lookup capability:

You can specify the following details:

Field Name	Description
Active	Select this check box to enable disable this integration. Note: If you configure this integration using the integration tile in the Security Operations > Integrations > Integrations Configurationspage, this flag is automatically set to Active.
Order	Indicates the order in which the integrations are executed.
Capability	The capability implemented by this integration.
Flow	The subflow that implements the capability.
Configuration	The integration configuration for this capability. Note: This is initially set to the default configuration provided with the base system. When an integration is configuring using the integration tile in the Integration Configurations page, this value is automatically reset to the new configuration created.
Rate Limit	Indicates the number of integrations that can be executed at run-time (in parallel or per unit of time).
Batch Inputs Size	The batch input size for each execution. For example, for a Sighting Search integration you may want to group the observables into batches of 50 so that the queries generated do not become too large. 0 indicates that there is no limit.
Timeout Period	The maximum duration before the capability implementation flow is cancelled. 0 indicates that there is no timeout period.
Total Requests	The total number of implementation execution requests. This field in conjunction with the Total Reqs Period field, can be used to limit the number of requests to the service. For example, you can limit the number to 4 requests per minute.
Total Reqs Period	The total number of execution requests allowed per period.
Retry Limit	The number of retries allowed for a failed execution request. This limit will be applicable if the Retry flag is set in your integration to retry an execution request when a condition is met. For example, a retry request is made when you have exceeded your license limit for that service for a time period or the service is down.
Retry After	The period after which an attempt is made to retry a failed execution request.
Max Concurrent Reqs	The maximum number of concurrent implementation execution requests. 0 indicates no limit.
Sighting Search Configurations	The default sighting search queries that can be executed.

Using the new Capability Framework with an installed integration

This section describes how to use the new framework for an existing integration.

Use the steps below to enable an already installed and configured integration (see supported list of Integrations in Supported integrations and components) to use the new capability framework.

Before you begin

Role required: sn_si.admin
Security Incident Response 10.0.2

Navigate to Security Operations > Integrations > Capabilities.
Click on Threat Lookup capability.
Click the Capabilities Implementation tab.
4. View the Capability Implementation record for the integration of interest (example: Crowdstrike Falcon Intelligence). The Active column should have the value as False.
Click the Name link to view the implementation record.
Select the Active check box.
Ensure the implementation record is pointing to the right configuration record (the tile name for the integration in Integration Configurations > Show Configurations (Yes)).
The implementation is enabled for use with the new framework.

Note: All supported Integrations when installed with Security Incident Response 10.0.2 will automatically be enabled under the new Integration Capability framework.

Using the new Capability Framework with a Flow

Use the steps below to create a flow and call the subflow provided by the new capability framework.

Before you begin

Role required: sn_si.admin, flow_designer, action_designer
Install one of the supported integrations (see Supported integrations and components)

The steps below describe how to create a sample flow and call one of the subflows provided with the new capability framework.

Procedure

1. Navigate to Flow Designer > Designer.
Click New to create a new flow and provide the necessary information for the properties.

Note: Select System User in the Run As choice list as shown in the above image.
Select a Trigger condition for the flow (a common trigger is the creation of a security incident record for a certain incident category).
In step 1 of the flow, select an action to get inputs from the security incident (for example, observables). You can select an action from the actions provided with the base system with the Security Support Common Spoke.
In step 2, select a subflow (for example, Threat Lookup).
Configure the subflow you have selected as shown below:
Save and publish the flow.

Troubleshooting Integration Capability flows

The Capability Executions option provides detailed information on each capability that has been executed.

Note: Completed executions are archived after 30 days.

Navigate to Security Operations > Integrations > Capability Executions..

Click on the Capability Executions link to view additional details.

Security Incident Record Worknotes

Flow execution started: Security Operations Integration - Enrich Observable V1
Flow execution completed: Security Operations Integration - Enrich Observable V1
Flow execution started: Security Operations Integration – Threat Lookup V1
Flow execution completed: Security Operations Integration – Threat Lookup V1

To view these worknotes, login as a user with the sn_si.admin or sn_si.analyst, and flow_designer, and action_designer roles.

Navigate to the security incident record page and click on these worknotes to view the flow execution details.
Capability Framework: Security Incident: Worknotes

How search works:

Topics are ranked in search results by how closely they match your search terms

Integrations Capabilities framework 2.0

Integrations Capabilities framework 2.0

Supported integrations and components

Supported application versions

Components included

Configurations in the new Capability Framework

Using the new Capability Framework with an installed integration

Using the new Capability Framework with a Flow

Troubleshooting Integration Capability flows

On this page

Integrations Capabilities framework 2.0

Integrations Capabilities framework 2.0

Supported integrations and components

Supported application versions

Components included

Configurations in the new Capability Framework

Using the new Capability Framework with an installed integration

Using the new Capability Framework with a Flow

Troubleshooting Integration Capability flows

Log in to personalize your search results and subscribe to topics