Using flow designer to build custom REST API Threat Intel enrichments (Example Cisco ThreatGrid Domain lookup)

Sebastiaan
ServiceNow Employee
ServiceNow Employee

on ‎06-25-2019 08:18 AM

In this article I will walkthrough and example showing how Flow Designer subflows can be used to create custom REST API Threat Intel enrichments and execute them using a UI Action button.

The end goal of this configuration is to have a ThreatGrid Lookup UI action button on the Security Incident Form which:

  1. Searches related URL’s or Domain type observables;
  2. Performs a lookup of these in ThreatGrid;
  3. Parses the results back into the Threat Lookup Results table.

The configuration of this example includes the following building blocks:

  1. Flow Designer SubFlow
  2. Flow Designer Action
  3. Threat Intel Enrichment Mapping Table
  4. UI Action

1. Flow Designer SubFlow

Flow Designer Subflows can be used without triggers allowing you to call them from other flows or another external trigger such as a UI action button.

1.1. Configuration of "Subflow" and "Lookup Records" action

find_real_file.png

1.2. Configuration of "For Each" and "Look Record" action

find_real_file.png

2. Flow Designer Action

Now that the Subflow is configured, we must create an action that performs the REST api call, retrieves the results and manipulates values so they are ready to be inserted into the Threat Lookup Results table.

2.1. Configuration of action input variables

find_real_file.png

2.2. Configuration of REST step

find_real_file.png

2.3. Configuration of Script input variables

find_real_file.png

2.4. Configuration of Script

find_real_file.png 

find_real_file.png

Used code:

(function execute(inputs, outputs) {

//obtain responsebody and parse results  
var responseBody = JSON.parse(inputs.responsebody);
 if(inputs.status!=200){
   var errorMsg = responseBody.error.message;
   var errorDetail = responseBody.error.detail;
   throw "Error retrieving threat grid. Message: "+errorMsg + " Details:"+errorDetail;
 }
 //obtain current_item_count 
 else {	
    var result = responseBody.data.current_item_count;
 } 
  
 if (result >=1){
	var finding = 'Malicious'; //if count >=1 set finding to Malicious
  }
  else { 
	var finding = 'Unknown'; //else finding = Unknown
 }  
  
var id = inputs.observable_id.toString(); //obtain observable sys_id   
var url = '"' + 'https://panacea.threatgrid.com/mask/domains/' + inputs.domain_value + '"'; //obtain observable value and create url
var record_id = inputs.task_id; //obtain security incident sys_id
var record_table = 'task';      //specify reference table
var response = inputs.responsebody.slice(1); //obtain responsebody and strip first { character
var response_content = '{"sys_id":' + id + ',' + '"finding":' + finding + ',' + '"url":' + url + ',' + response; //add observable sys_id & finding to rest response body
var enrichment_mapping_id = '026db246db7537000b3b5414dc961958'; //reference enrichment map for Threatgrid
var domain_id = 'global'; //specify domain for domain seperated environments
var ref_value = null; //specify reference value
var ref_table = 'null';  //specify reference table

//Execute Threat Intell enrichment script include function with varaibles  
var util = new sn_sec_cmn.EnrichmentDataUtil(domain_id);
var enrichmentId = util.createEnrichmentRecordsForRecord(record_id, record_table, response_content, enrichment_mapping_id, 'Workflow', ref_value, ref_table);  
   
})(inputs, outputs);

 

3. Adding action to Subflow

After creating the action it can be added to the subflow.

find_real_file.png

4. Configuring an Enrichment Map for parsing results

 In other to parse the JSON response into the required target table (sn_ti_lookup_results) SecOps allows the usage of Enrichment Data Mappings. These mappings are similar to platform transform maps allowing you to configure how and what data fields you like to be populated.

The enrichment maps are referenced by the "sn_sec_cmn.EnrichmentDataUtil" script include.

 find_real_file.png

find_real_file.png

 

5. Configuration of UI action

When the subflow, action & enrichment map are configured, the last step is to configure the UI Action Button.  

To call the subflow in a UI action you must first modify the security settings of the flow:

find_real_file.png

After this you can copy the required client or sever side code and use it within a UI action, Business Rules etc. In this case we will be using the server side code: 

find_real_file.png

 Noe lets create a New UI action on the sn_si_incident table as shown below:

find_real_file.png

 

6. Setup Results 

6.1. Security incident with Lookup Button available

find_real_file.png

6.2. Related observables

find_real_file.png

6.3. When clicking the ThreatGrid button, new Threat Lookup Results are added

 find_real_file.png

6.4 Example of ThreadGrid retrieved information

 

find_real_file.png

Preview file
152 KB
Preview file
109 KB
Preview file
149 KB
Preview file
35 KB
Preview file
205 KB
Preview file
60 KB
Preview file
60 KB
Preview file
120 KB
Preview file
129 KB
Preview file
85 KB
Preview file
162 KB
Preview file
76 KB
Preview file
43 KB
Preview file
128 KB
Preview file
113 KB
Preview file
113 KB
Preview file
67 KB
Preview file
78 KB
Preview file
60 KB
  • 2,047 Views
Comments
sajal
Kilo Contributor
‎08-01-2019 02:38 AM

Thank you Sebastiaan!!!

Your Knowledge is amazing.

Version history
Last update:
‎06-25-2019 08:18 AM
Updated by:
ServiceNow Employee