• The admin role installs the integration from the ServiceNow Store and assigns the sn_si.admin role.
• The sn_si.admin role configures the integration, creates and activates profiles, and then assigns the sn_si.analyst role.
• The sn_si.analyst role responds to security incidents, launches profiles manually, and can submit requests for such actions as isolating the host and removing the host isolation for an approved group.

The ServiceNow Integration Hub Enterprise Pack Installer [com.glide.hub.integrations.enterprise] plugin is required. This plugin enables the execution of IntegrationHub actions and flows:

The Security Incident Response plugin (com.snc.security_incident) is required. This plugin automatically installs all the dependencies that are required to support the Security Incident Response product. Install and activate this plugin before you install and activate the other Security Operations applications that are required by the integration.

Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If these applications are not already installed, you must install and activate each application one at a time in the following order to ensure a smooth installation:

1. Security Incident Response Dependency (com.snc.si_dep)
2. Security Integration Framework
3. Security Support Common
4. Security Support Orchestration
5. Threat Intelligence Support Common
6. Trusted Security Circles
7. Security Operations Setup Assistant
8. Security Incident Response

An optional approval capability is available for isolating host machines, restoring them to the network, and initiating sightings searches.

To enable this option, you require prior approval from the sn_si.admin role before host machines are isolated and restored to your network, or when sightings searches are performed. If you require an extra level of control over these actions, enable the Require approval option when configuring the profile. The approval authority is assigned to the user with the sn_si.admin role. You can also reassign this approval authority to an approval group.

• The Falcon administrator role is required to view, create, or modify API clients or keys.
• The Real Time Responder – Administrator role is required for creating and executing custom scripts.
• The Real Time Responder – Active Responder role is required for creating and executing custom scripts.

• Verify that the Real Time Responder – Administrator and the Real Time Responder – Active Responder roles are available.
• Verify that the Default(Windows) policy option is enabled in Configuration > Response Policies in the CrowdStrike Falcon UI.
• Verify that the Real Time Response and Custom Scripts under Real Time Functionality is enabled in the CrowdStrike Falcon UI.