I’ve been working on getting the observables from SNOW into another tool, but I haven’t been able to find a way to return the observables via the API.
If you look at the objects in the sn_si_incident and sn_ti_observable directly in the tables API, there doesn’t seem to be anything directly in there link them together or query by. I did find on the standard SIR form view there is a show IoC UI Action that returns the results, so it seems to be possible in the UI at least, but I’m not sure how to get that data via the API. Would anyone have any insight into how to get that data via API?
{
"result": [
{
"parent": "",
"sla_suspended_reason": "",
"watch_list": "",
"upon_reject": "cancel",
"sys_updated_on": "2023-11-09 20:35:08",
"qualification_group": "",
"expected_end": "",
"approval_history": "",
"source_ip": "",
"skills": "",
"number": "SIR0010287",
"problem": "",
"previous_agent": "",
"state": "16",
"sys_created_by": "admin",
"template_workflow_invoked": "false",
"knowledge": "false",
"order": "",
"phish_email": "",
"cmdb_ci": "",
"delivery_plan": "",
"contract": "",
"impact": "3",
"active": "true",
"priority": "4",
"sys_domain_path": "/",
"sla_suspended": "false",
"business_duration": "",
"group_list": "",
"special_access_write": "",
"dest_ip": "",
"mitre_platform": "",
"risk_change": "up",
"malware_url": "",
"universal_request": "",
"template": "",
"short_description": "This is testing pulling in a serviceNow Security Incident",
"correlation_display": "",
"delivery_task": "",
"work_start": "",
"request_type": "",
"affected_user": "",
"other_ioc": "",
"additional_assignee_list": "",
"alert_sensor": "",
"assigned_vendor": "",
"service_offering": "",
"sys_class_name": "sn_si_incident",
"closed_by": "",
"follow_up": "",
"mitre_group": "",
"sla_suspended_on": "",
"estimated_end": "",
"vendor_reference": "",
"reassignment_count": "0",
"assigned_to": {
"link": "https://service-now.com/api/now/table/sys_user/1cde3c36db64f700db9b9875db961970",
"value": "1cde3c36db64f700db9b9875db961970"
},
"request_category": "",
"requested_due_by": "",
"mitre_malware": "",
"sla_suspended_for": "",
"business_criticality": "3",
"sla_due": "",
"opened_for": {
"link": "https://service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441",
"value": "6816f79cc0a8016401c5a33be04be441"
},
"mitre_technique": "",
"special_access_read": "",
"substate": "",
"escalation": "0",
"upon_approval": "proceed",
"correlation_id": "",
"asset": "",
"mitre_tool": "",
"spam": "false",
"referrer_url": "",
"made_sla": "true",
"mitre_tactic": "",
"is_catalog": "false",
"malware_hash": "",
"alert_rule": "",
"task_effective_number": "SIR0010287",
"external_url": "",
"sys_updated_by": "system",
"opened_by": {
"link": "https://.service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441",
"value": "6816f79cc0a8016401c5a33be04be441"
},
"user_input": "",
"sys_created_on": "2023-11-08 23:23:59",
"sys_domain": {
"link": "https://.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"pir": "",
"route_reason": "",
"closed_at": "",
"business_service": "",
"attack_vector": "",
"time_worked": "",
"expected_start": "",
"opened_at": "2023-11-08 23:23:59",
"task_created": "false",
"work_end": "",
"confidence_score": "",
"prediction": "",
"automation_activity": "",
"subcategory": "ransomeware",
"work_notes": "",
"security_tags": "",
"risk_score_override": "false",
"initiated_from": "",
"close_code": "",
"assignment_group": {
"link": "https://.service-now.com/api/now/table/sys_user_group/dea26263ff0331007a6dffffffffff19",
"value": "dea26263ff0331007a6dffffffffff19"
},
"description": "",
"calendar_duration": "",
"close_notes": "",
"pir_respondents": "1cde3c36db64f700db9b9875db961970",
"sys_id": "a8185ec31b9a3510516b777e0a4bcb6e",
"contact_type": "",
"urgency": "3",
"secure_notes": "08b15c111bd22110516b777e0a4bcbab1cWUaG8IOzoG-K-wCma-jRYLldPG6t4AcS44TwXnJFaW0QC4H8P1dnBbjyWl8HtCO",
"company": "",
"new_pir_respondents": "",
"department": "",
"activity_due": "",
"severity": "2",
"comments": "",
"risk_score": "40",
"approval": "not requested",
"due_date": "",
"sys_mod_count": "6",
"parent_security_incident": "",
"sys_tags": "",
"billable": "false",
"mitre_data_source": "",
"caller": {
"link": "https://service-now.com/api/now/table/sys_user/6816f79cc0a8016401c5a33be04be441",
"value": "6816f79cc0a8016401c5a33be04be441"
},
"location": "",
"risk": "3",
"category": "malware",
"incident": "",
"change_request": "",
"security_incident_self": {
"link": "https://.service-now.com/api/now/table/sn_si_incident/a8185ec31b9a3510516b777e0a4bcb6e",
"value": "a8185ec31b9a3510516b777e0a4bcb6e"
}
}
]
}
{
"result": [
{
"negation": "false",
"mitre_tactic": "",
"notes": "",
"malicious_attachment": "",
"sys_updated_on": "2023-11-09 20:34:16",
"type": {
"link": "https://.service-now.com/api/now/table/sn_ti_observable_type/5d0b43809f81120035c6786f957fcf71",
"value": "5d0b43809f81120035c6786f957fcf71"
},
"operator": "",
"mitre_group": "",
"sys_id": "c0daba531b5a7510516b777e0a4bcbd8",
"sys_updated_by": "admin",
"sys_created_on": "2023-11-09 20:34:16",
"sys_domain": {
"link": "https://.service-now.com/api/now/table/sys_user_group/global",
"value": "global"
},
"value": "58.136.170.171",
"sys_created_by": "admin",
"mitre_malware": "",
"finding_expiry_time": "",
"sys_mod_count": "1",
"is_composition": "false",
"finding": "Unknown",
"sys_tags": "",
"mitre_data_source": "",
"mitre_technique": "",
"mitre_information": "",
"sighting_count": "1",
"mitre_platform": "",
"location": "",
"mitre_tool": "",
"security_tags": ""
}
]
}
