- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on
06-13-2024
03:28 PM
- edited on
06-28-2024
08:32 AM
by
Lisa Latour
On June 12 & 13, Tim Boswell, Sr. Outbound Product Manager, SecOps and myself were excited to share the uniqueness of the new Threat Intelligence Security Center (TISC) solution. The webinar highlights how you can include threat data for threat investigation, threat hunting, threat research, prioritize your cyber defenses and conduct threat intel case management. The solution allows the Incident Responders who work in Security Incident Response to have their case management separate from the Cyber Threat Team's case management. However, information is easily shared between the solutions and configured to do so out of box.
The agenda:
- TISC in the Platform
- TISC Uniqueness
- TISC Setup
- TISC Demonstration
The recording is available here:
The demo shared during the webinar can be viewed here.
Resource Links
ServiceNow Documentation (docs.servicenow.com)
Threat Intelligence Security Center
Set up Threat Intelligence Security Center
Community (servicenow.com/Community)
A pdf version of the slides are attached below.
The Q&A from the sessions:
| Question | Answer |
| How do we configure the transform logics for unstructured data ? Does the new information create new columns on TISC Product? | This can be done by defining custom parsers and mapping data to TISC data model as part of the transformation logic. There is always possibility to customize the model in Servicenow if new columns are required. |
| What the controls can we place on the Threat Intelligence import ? The Import is available for analyst role but would that open up imports/Data sources access for the analyst? | The imports are open to analysts but there is an approval policy that can be enabled to route the imports for approval before processing. This is available to enable and configure under administration. Also, data sources configuration is available only for TI admin role |
| I don't entirely understand the relationship between TI in SIR vs TI in TISC. They are complementary? In what way? | Security Incident Response (SIR) is an application intended for Incident Responders. The Threat Intelligence plug in added to find Indicators of Compromise and enrich security incidents with Threat Intelligence. The Threat Intelligence Security Center is an application for the Threat Analysts, and Threat Hunters, for managing their cases and tasks. They are separate scoped applications, each with their own tables. |
| Does SIR w/TI and TISC have the same backend content? | No. The observable tables are specific to the applications |
| Does SIR w/TI and TISC have the same base tables? | No. the tables are separate but data is synced as part of SIR + TISC integration |
| Is TISC license included for in Professional? | No, TISC is not included with SIR Professional. TISC is included with SIR Enterprise, or it can be acquired standalone without SIR. |
| Would TISC be considered a TIP? | Yes, and more than a TIP, as it has other capabilities. |
| Can TISC be integrated into a SIEM? If so which ones? | Yes, we currently have an out of the box integration with Splunk, but an integraiton with any SIEM can be created |
| Does TISC support playbooks? | TISC does not yet have playbooks specific to the TISC application, however, playbooks and flows within ServiceNow can trigger actions within TISC, pull data from TISC, send data to TISC, etc. And, automated workflows and playbooks are on our roadmap for later this year in upcoming releases and versions. |
- 2,508 Views
