SecOps observables: manual steps guide and scope to automate them?

ashwanikumar
Tera Expert

Hi Team,


Are there any recommended BAU (Business-as-Usual) practices or reference steps that Security team members should follow when handling different types of observables (e.g., IP addresses, file hashes, domains, etc.) in ServiceNow?

 

Additionally, is it possible to automate the handling of observables within the platform? If so, what modules or capabilities e.g. workflows, flows etc are best suited for this?

 

Thanks in advance!

3 REPLIES 3

ashwanikumar
Tera Expert

Can anyone provide an answer based on their expertise? 

Setting up the VirusTotal integration will give automatic look up of certain observables (hashes, URLs, IPs). This will benefit the security team by providing updated threat intel and save time of them doing it manually. I would recommend configuring/customizing the integration to not look up internal observables such as usernames or MAC addresses as they will never yield anything worthwhile. 

It is also beneficial to enable the use of Direction when it comes to IP addresses as observable. An IP address’ source can either be incoming or outgoing, and in my experience this information is not automatically captured in the observable record, but the functionality is supported out of the box. I have edited some of the scripts previously to figure out if the IP address is incoming or outgoing and added that to IP address observables specifically. This also saves the security team time so they don’t have to figure this out manually. 

There is also a script include related to observables where the regex for identifying the type of observable is defined. I would recommend adding a regex check for identifying your company’s/customer’s usernames, so that they are categorised correctly. (I apologize for not being able to link the script includes, but am currently on vacation and only have my phone). I also previously added regex for MAC addresses as that was strangely missing. Have not checked within the last year if that still is true, though. 

Good luck!

Hello Ashwani, VirusTotal Integration is a simple yet effective way to work around Malicious URL-type Observables. It runs a OOTB, Very detailed Threat lookup on all associated Observables of type -URL on the SIR record.

The Threat or Vuln management team should provide you/analyst with the details about Malicious or Benign IPs, domains or so.. and you can easily automate the handling as per your requirement using simple OOTB subflows using the WF Studio. 

If i find something else, will share. Hope this helps.