The Zurich release has arrived! Interested in new features and functionalities? Click here for more

FS-ISAC STIX/TAXII Setup in ServiceNow

Liju John1
Mega Guru

on ‎05-21-2019 07:09 PM 

find_real_file.png


find_real_file.png
find_real_file.png
find_real_file.png

find_real_file.png

Preview file
73 KB
Preview file
86 KB
Preview file
64 KB
Preview file
25 KB
Preview file
127 KB
Preview file
551 KB
Preview file
65 KB
Preview file
72 KB
  • 4,501 Views
Comments
scottlewis
ServiceNow Employee
ServiceNow Employee
‎05-21-2019 07:24 PM

Thanks for posting Liju.  You beat me to it!

s

Liju John1
Mega Guru
‎05-21-2019 07:38 PM

Thanks for your help Scott.

(I did not see any search result regarding FS-ISAC in the community earlier.)

kmlutz4sn
Kilo Expert
‎08-18-2019 02:13 AM

Hello Liju,

Any suggestions or known postings on using data from attack.mitre.org into SN? It seems similar to what you have posted above.

Any suggestions would be appreciated.

Thanks.

0 Helpfuls
Mike_R
Kilo Patron
Kilo Patron
‎07-06-2020 12:16 PM

Hi Liju,

 

Thank you for the very helpful instructions. We followed these instructions last year and it worked perfectly.

Apparently in March, FS-ISAC changed the feed URL to "https://taxii.fsisac.com/ctixapi/taxii/". I tried updating the URL & credentials in ServiceNow but am unable to import the data.

 

Any suggestions?

0 Helpfuls
Liju John1
Mega Guru
‎07-13-2020 10:26 AM

There is a change in the FS-ISAC APIs.

 

What are the connection parameters for connecting to FS-ISAC’s STIX/TAXII Feed?
• TAXII 1.1:

o Discovery Service: https://taxii.fsisac.com/ctixapi/taxii/
o Collection Service: https://taxii.fsisac.com/ctixapi/taxii/collection/
o Poll Service: https://taxii.fsisac.com/ctixapi/taxii/poll/

• TAXII 2.0:

o Discovery Service: https://taxii.fsisac.com/ctixapi/ctix2/taxii/
o Collection Service: https://taxii.fsisac.com/ctixapi/ctix2/collections/
o Poll Service: https://taxii.fsisac.com/ctixapi/ctix2/collections/<collection_id>/
find_real_file.png

• TAXII 2.1:

  1. o Discovery Service: https://taxii.fsisac.com/ctixapi/ctix21/taxii2/
  2. o Collection Service: https://taxii.fsisac.com/ctixapi/ctix21/collections/
  3. o Poll Service: https://taxii.fsisac.com/ctixapi/ctix21/collections/<collection_id>/
  4. find_real_file.png
Liju John1
Mega Guru
‎07-13-2020 10:32 AM

TAXII Collections

0 Helpfuls
Liju John1
Mega Guru
‎07-13-2020 10:35 AM

find_real_file.png

Liju John1
Mega Guru
‎07-13-2020 10:35 AM

find_real_file.png

Liju John1
Mega Guru
‎07-13-2020 10:36 AM

Poll

 

find_real_file.png

Jimmy26
Giga Contributor
‎07-22-2020 01:19 PM

Good stuff. I'm going to try this same approach with N-ISAC

0 Helpfuls
Mike_R
Kilo Patron
Kilo Patron
‎09-23-2020 12:17 PM

Hi Liju,

 

Thank you for the detailed instructions. I followed all your steps and was able to generate the 10 Taxii Collections. The collections seem to run with no problems "Successfully completed integration run.  No more data to process at this time." but we do not see new data anywhere.

 

Where is this data stored? With the old setup, the data was going to the Indicators and Observables tables but i don't see any new data with this feed.

0 Helpfuls
Version history
Last update:
‎05-21-2019 07:09 PM
Updated by: