TISC Enrichment Integrations

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TISC Enrichment Integrations

    The Threat Intelligence Security Center (TISC) base system does not include pre-configured integrations. Customers must install and configure both ServiceNow and third-party app integrations to access enrichment capabilities such as observables, sighting searches, and threat lookups. Only installed integrations are available for use and configuration.

    Show full answer Show less

    All Integration Configurations

    TISC integrations are managed as separate applications that customers need to install. Once installed, these integrations can be activated and configured through the All Integrations view in the Threat Intelligence Security Center workspace.

    • Visibility: Enrichment sections (Observable Enrichment, Sighting Search, Threat Lookup) appear only if corresponding integrations are installed.
    • Access: Navigate to Workspaces > Threat Intelligence Security Center > Integrations > Enrichment Integrations > All Integrations to view and manage integrations.

    Actions in the All Integrations View

    The All Integrations interface enables customers to:

    • Filter integrations by status: All, Enabled, Disabled, or Draft.
    • Switch between card and list views for easier management.
    • Refresh the page to see updated configurations.
    • Sort integrations by last modified date or name.
    • Search for integrations within the catalog by name or description.

    Configuring New Enrichment Integrations

    New enrichment integrations can be configured either from the All Integrations view or directly within the specific enrichment sections. The process involves:

    1. Selecting the enrichment type: Observable Enrichment, Sighting Search, or Threat Lookup.
    2. Choosing the desired integration from the available list.
    3. Completing the Create New Enrichment Integration form, which includes:
    • Name: Unique identifier for the integration.
    • Vendor Name: Pre-filled based on the selected integration.
    • Integration Type: Pre-filled and indicates the enrichment type.
    • Description: Optional unique description.
    • Integration Configuration: Details like API keys, client IDs, secrets, usernames, and passwords specific to the vendor.

    After filling in the details, the configuration can be saved, saved as a draft if details are incomplete, or enabled directly. Enabling activates the integration for use. Customers can later enable, disable, or delete integrations from the Actions menu on each integration card.

    Specific Enrichment Types

    • Observable Enrichment: Enables threat intelligence enrichment on observables to identify associations with known threats. The active implementations depend on the activated integrations.
    • Sighting Search: Supports threat sighting lookups through TISC Sighting Search and Elastic Search integrations.
    • Threat Lookup: Integrations such as VirusTotal and CrowdStrike Falcon perform malware scans and threat lookups on observables recognized by these vendors, returning relevant threat intelligence results.

    Practical Benefits for ServiceNow Customers

    By installing and configuring these integrations, ServiceNow customers can enhance their threat intelligence capabilities within the TISC environment. This enables automated enrichment of observables, efficient searching for threat sightings, and comprehensive threat lookups from multiple trusted third-party sources. Proper configuration and management of these integrations ensure that customers gain timely and actionable security insights directly within ServiceNow.

    The Threat Intelligence Security Center base system does not include any pre-configured integrations. This section provides instructions for configuring both ServiceNow and third-party integrations.

    Important:

    Make sure that you’ve installed the required third-party app integrations. You can see the observables, sighting search, and threat lookup details only for the third-party apps that are installed.

    All Integration Configurations

    All the integrations are separate applications that needs to be installed. TISC supports integrations with third party vendors. Any installed integrations can be configured here.

    This section displays cards for each of the configured integration implementations that you can activate and use.

    Each enrichment type’s section would be visible only if at least one of the corresponding integration for that enrichment type is installed. For example, the Threat Lookup section would be visible under Enrichment Integrations only if at least one Threat Lookup integration is installed.

    The configured integration cards can be viewed by navigating to Workspaces > Threat Intelligence Security Center > Integrations > Enrichment Integrations > All Integrations.

    Threat Intelligence integrations

    Actions on the All Integrations view

    The All Integration view enables you to perform the following actions.
    Table 1. Actions on All Integrations view
    Action Description
    All Use this dropdown menu to filter integrations based on their current state. You can filter based on the following states:
    • All: Displays all the integrations on the page. This is the default option.
    • Enabled: Displays all the integrations that are in an enabled state.
    • Disabled: Displays all the integrations that are in a disabled state.
    • Draft: Displays all the integrations that are in a draft state.
    Card view Use this action to view all the integrations in the form of cards.
    List view Use this action to view all the integrations in the form of lists.
    Refresh Use this action to refresh the All Integrations page.
    Sort Use this action to sort all the integrations based on the following:
    • Last Modified (recent)
    • Last Modified (oldest)
    • Name (A-Z)
    • Name (Z-A)
    Search in catalog Use this action to search for configured integrations based on name and description within the catalog.

    Configure new enrichment from All Integrations view

    You can configure new enrichments from the All Integrations view or directly from the Observable Enrichment, Sighting Search, or Threat Lookup sections respectively. To configure the new enrichment from all the All Integrations view, perform the following steps.
    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click the Integrations icon, and select the All Integrations section.

      Configure new enrichment from All Integrations view

    3. Click the Configure new enrichment action.

      The Configure new enrichment pop-up appears with three enrichment types, which are Observable Enrichment, Sighting Search, or Threat Lookup. You need to choose which type of enrichment you want to configure.

      Configure the enrichment type

    4. Select an enrichment type, and click Next.

      This takes you to the pop-up that displays the available integrations. You need to choose the integration you want to configure.

    5. Select an integration from the list of available integrations, and click Select.

      This takes you to the Create New Enrichment Integration page of the selected integration. This page is pre-filled with details of the selected integration by default. For example, WHOIS integration.

    6. On the Create New Integration form, fill the fields.
      Table 2. Configure the new enrichment integration form
      Field Description
      Name Enter a name for the new enrichment integration. For example, WHOIS1.
      Vendor Name Name of the vendor. The details of the selected vendor are pre-filled by default. For example, WHOIS.
      Integration Type Type of integration that you selected. For example, Observable Enrichment. The details of the selected integration type are pre-filled by default.
      The following Integration Types are supported:
      • Observable Enrichment
      • Sighting Search
      • Threat Lookup
      Description Enter a unique description for the new enrichment integration.
    7. In the Integration Configuration section, configure the integration details based on your requirements.

      The Integration Configuration section includes configuration details like API key, API Client ID or secret, username, password, and so on, which you need to fill in. These configuration details vary for different integrations.

    8. Click the Save action to store and create the enrichment integration configuration.

      The provided details are validated, and by default the enrichment integration's status is disabled.

    9. (Optional) Click the Save as Draft action to only store the integration configurations as draft. Users cannot enable an integration when it is saved in draft

      If you're not sure about the configuration details, you can use the Save as Draft option. After you get the configuration details, you can fill the remaining information in the draft version and create it.

    10. To enable the enrichment integration, click Enable.

      The enrichment integration is enabled successfully.

    11. You can also enable, disable, or delete a particular enrichment integration by using the Actions menu of the required integration tile on the Catalog page or the Enrichment Integrations page.