Threat Intelligence observable enrichment issue

Chad R · ‎06-22-2022

Hi All,

So I'm getting Security Operations setup and running into an issue with threat intelligence and observable enrichment.

I have our IoC getting data from various sources and I have activated the workflows for automated phishing template and user reported phishing email to incident creation however when all the processes kick off and the flows run the observables are not being enriched and no threat lookup information is being shown and I'm getting the error below. I've done some searching around but not been able to pinpoint my issue. Anyone ever have this issue and if so could you lend a fellow admin a hand? Many thanks as always I appreciate your alls time.

Workflow Security Operations Integration - Threat Lookup execution failed.
Failure reason: No configured capability implementations

Fatih Karacaer · ‎06-23-2022

Hi Chad,

Capability and implementation concepts can get complicated so let me first explain them briefly.

Capability: Threat Lookup.

Capability Implementation: Individual Threat Lookup Integrations you configure. For example, Virustotal, haveibeenpwned, shodan etc.

What I am understanding from the error message above is you have configured the Capability but you didn't configure a capability implementation. Have you installed any of the integration plugins I mentioned above?

Most of these capability implementations (individual integrations) have commercial and free offerings. What I recommend you is:

1. Create a free account on Virustotal

2. Install the Virustotal store app on your ServiceNow instance

3. Configure the Virustotal integration on ServiceNow with the public API key you get from your account.

4. Test again.

Hopefully you will be able to see the Threat Lookup results.

FYI, Virustotal free tier is quite limited and may not be suitable for production use.

Hope it helps!

Fatih.