ThreatStream provides a bidirectional integration with ServiceNow, which enables users to easily make use of ThreatStream’s enriched and contextualized database of threat intelligence as part of their Incident Response workflow. Features include:
- Create or update ServiceNow security incidents from ThreatStream investigations, including observable details, descriptions and associations like Threat Actors, Campaigns and more.
- Create or update ThreatStream investigations from ServiceNow security incidents, including descriptions, priority, associated observables.
- Export observables from ServiceNow to ThreatStream for inclusion in other investigations, workflows, and for downstream dissemination to other security tools.
- When new observables are added to an incident, ServiceNow will automatically carry out Threat Lookup and Observable Enrichment against these observables.
- Add ThreatStream as a Threat Lookup source, enabling ServiceNow observables to be marked as Malicious based on their corresponding confidence score in ThreatStream.
- Enrich ServiceNow Observables with actionable threat intel data from ThreatStream to provide additional context.
- Observables within ServiceNow can be exported to ThreatStream, allowing for quick sharing of intelligence between the two platforms
- Create or Update ThreatStream Investigation's from ServiceNow Security Incidents with the click of a button.
-
ServiceNow Integration v1.3.06 fixes issues in the previous version.
-
INTS-12956: There was an issue with parameter encoding that caused incorrect Threat Lookup results to be generated for observables whose value contained special characters. FIX: This issue is fixed in this version.
- INTS-12894: The Finding attribute for observables, set by ThreatStream during execution, was then overwritten by the ServiceNow automatic finding calculator. FIX: This duplication is fixed in this version. The ServiceNow
generated attribute is used.
-
Product:
- Security Operations
Plugins:
- Security Incident Response
- Threat Intelligence
- Threat Intelligence Support Common
Permissions:
- sn_si.basic
- sn_ti.read
- snc_platform_rest_api_access (required for cases when Table API ACL is active)