RiskIQ® allows security operations personnel to automate a range of threat detection, triage, monitoring, and response tasks. By capturing details around SSL certificates, Whois data, and other public Internet sources, threat indicators or observables can be enriched with RiskIQ data details, and analysts can respond to security incidents more efficiently. When integrated with ServiceNow Security Operations, RiskIQ data intelligence provides additional enrichment data and insight for security incidents or investigations.
- Automatic enrichment lookups for the SSL certificate and domain registration information are run on selected observables upon incident creation.
- After the application is configured, the workflow launches automatically for RiskIQ lookups, and completion status is recorded in work notes.
- Observables can be looked up manually by adding them to the Security Incident form or Observable Entry table and launching an enrichment lookup.
- Results are displayed in the SSL Certificates and Observable Enrichment tabs under Related Links.
Changed:
- Migrated Enrichment workflows to flow designer.
Plugins
The following plugin for Threat Intelligence must be installed and activated:
- com.snc.threat.intelligence plugin for Threat Intelligence.
The following Security Incident Response plugins must be installed and activated:
- com.snc.security_support.common
- com.snc.security_incident
- com.snc.intel_sharing.client
- com.snc.secops.orchestration
- com.snc.threat
Permissions and roles
- Role required: System Admin (admin).
Workflow
The RiskIQ integration, when used in conjunction with the security operations integrations capabilities framework, provides a high-level workflow independent from the integration vendor.
Once installed and activated, the RiskIQ API searches for SSL certificates and Whois domain registration information based on submitted domains and other SSL certificate or domain registration parameters.
Components created by the application
List of Workflows:
- Enrich Observable – RiskIQ Certificates
- Enrich Observable – RiskIQ Whois
List of Workflow Activities:
- Enrich Observable – RiskIQ Whois
- Observable Enrichment Lookup
List of scripts:
- RiskIqIntegration
- RiskIqCertObservableEnrichment
- RiskIqWhoisConfiguration
- RiskIqWhoisObservableEnrichment
List of newly defined tables:
- SSL Certificate Entry
- SSL Certificate Entity
Scope(s) used:
- sn_sec_riskiq
- RiskIQ SSL Certificate Lookup
- RiskIQ WHOIS Lookup
- RiskIQ SSL Cert by Host Entry Mapping
- RiskIQ SSL Cert by Serial, Name Entry Mapping
- RiskIQ SSL Cert by SHA Entry Mapping
- RiskIQ SSL Cert Issuer Mapping
- RiskIQ SSL Cert Name Mapping
- RiskIQ SSL Cert Subject Mapping
- RiskIQ WHOIS Contact Mapping
- RiskIQ WHOIS Entry Mapping
- RiskIQ WHOIS Name Server Mapping