When you have a SecOps SIR professional license you are entitled to the Threat Intel module.
The Threat Intel module is primarily focused on providing an additional layer of enrichment of Security Incidents and its observables. Although Threat Intel might already be in use on a SIEM or detection solution level, it still makes sense to leverage the enrichment capabilities for the following reasons:
1. Non SIEM or detection solution created Security Incidents such as user reported phishing emails, Service Catalog or escalated IT incidents typically don’t get enriched with Threat Intelligence. The ability to do so at creation can therefore be considered just as important as using Threat Intel on the SIEM layer.
2. Security Incidents from for example SIEM solutions might contain findings that are outdated or lack related campaign information. It can therefore be very useful to perform an automated update within SecOps to confirm the findings or obtain newly available Threat data.
3. By enriching Security Incidents with Threat Intelligence in ServiceNow, organizations are able to understand the relationship between Security Incidents and Indicators. This does not only help with understanding the potential scope of related attacks, but also allows organizations to confirm if previous remediation actions like the blocking of URL’s, IP etc. are still in effect.
The SecOps Threat Intelligence module contains the ability to ingest data through plugins with for example VirusTotal, CrowdStrike etc. or by leveraging TAXII sources.
Although the OOTB TAXII profile allow easy integration with non-authenticated TAXII sources, you do need to perform some configuration to make it work when authentication is required.
This post is intended to provide an example on how to do so by walking through the configuration of the Anomali TAXII Limo Feed.
A STIX TAXII integration exists out of a Discovery and Collection Service part. The Discovery part allows you to discover the available collections whereas the Collection is used to obtain the actual STIX formatted data.
In the case your TAXII server requires authentication, you must first create a REST Outbound Message containing the right authentication type and header information.
An example for Anomali Limo is shown below:
1. REST Message Config
2. Default POST Method config
3. After the REST Messages is prepared, you are ready to configure the TAXII profile
Discovery Service Configuration
Collection Service Configuration
4. After this, we can test the Discovery Service. If all is ok, you should receive a message and obtain a list of available collections
5. When Discovery works, we must make some additional changes to ensure you are able to collect the Limo Anomali data
To obtain the collection data, Limo requires the following XML formatted parameters to be included in the poll request:
taxii_11:Exclusive_Begin_Timestamp taxii_11:Inclusive_End_Timestamp
taxii_11:Poll_Parameters
The OOTB “TAXIIV1_1RequestBuilder” script include though does not include the “taxii_11:Inclusive_End_Timestamp” parameter.
To include this, we therefore need to add the following lines to the script include:
6. After adding these lines, you should be able to successfully collect and ingest Limo STIX data
Thank you Op, this was very helpful. For anyone that is interested and facing issues with the prescribed plan - I needed to make the following change:
Please note the sdt.getValue() instead of .getDisplayValue(). The former will access the system's time and the later will return the date/time value in the current user's display + timezone.
