PhishTank® is a community-based phishing verification system in which users submit suspected threats, and other users vote to determine whether the phishing threats are legitimate. When integrated with ServiceNow Security Operations, the Threat Intelligence results provide additional insights for phishing-related security incidents or investigations.
- Threat intelligence lookups are run upon incident creation on potential phishing site URLs.
- After the application is configured, the workflow launches automatically, and lookup execution and completion status are recorded in work notes on the Security Incident form.
- Observables can be looked up manually by adding them to the Security Incident form and launching workflows.
- Results are displayed in the Threat Lookup Results tab at the bottom of the Security Incident form.
Changed:
- Migrated enrichment workflows to flow designer.
Plugins:
The following plugin for Threat Intelligence must be installed and activated:
- com.snc.threat.intelligence plugin for Threat Intelligence
The following Security Incident Response plugins must be installed and activated:
- com.snc.security_support.common
- com.snc.security_incident
- com.snc.intel_sharing.client
- com.snc.secops.orchestration
- com.snc.threat
Permissions and roles
- Role required: System Admin (admin) or Security Admin (sn_si.admin)
Workflow
The security operations integrations capabilities framework, used with the PhishTank integration, provides a high-level workflow independent from the integration vendor. The workflow performs threat intelligence lookups on selected observables, specifically URLs. The application checks for new observables. If the observables are of a type recognized by the PhishTank API integration, the observables are queried for a threat lookup response.
Components created by the application
Default PhishTank lookup workflow:
- Threat Lookup–PhishTank
List of scripts include:
- PhishTankThreatLookupImplementation
The scope(s) used:
- sn_sec_phishtank