TISC playbook templates
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of TISC playbook templates
The TISC playbook templates provide pre-built automation workflows integrated with Microsoft Sentinel to manage threat intelligence data efficiently. These playbooks enable importing observables from TISC to Sentinel, exporting Sentinel incident entities back to TISC, and enriching Sentinel incidents with additional context. All playbooks leverage the TISC Custom Connector to interact with TISC APIs.
Show less
Key Features
- Importing Observables: BatchIndicatorUploader and ImportObservablesBatch playbooks automate the scheduled import of observables such as IPs, file hashes, domains, and URLs from TISC into Sentinel using Microsoft Sentinel’s Upload Indicators API.
- Exporting Entities: Playbooks like ExportIncidentEntities and entity-specific exporters (e.g., ExportHashEntity, ExportDomainEntity) allow exporting various entities associated with Sentinel incidents back into TISC for unified threat intelligence management.
- Incident Enrichment: The IncidentEnrichment playbook fetches detailed information about entities linked to a Sentinel incident and adds this intelligence to the incident comments, enhancing investigative context.
- Customization: Playbooks can be created from templates in the Sentinel Content Hub, configured with your ServiceNow instance URL and TISC Custom Connector, and customized via the Logic App Designer to adjust parameters such as recurrence frequency, observable types, threat scores, confidence levels, reputations, and severity levels.
Configuring and Using Playbooks
- Deploy the TISC Custom Connector first, providing your ServiceNow instance URL during setup.
- Create playbooks from the templates available in the Sentinel Content Hub, ensuring proper configuration of connector names and parameters.
- For the ImportObservablesBatch playbook, ensure the BatchIndicatorUploader playbook is created beforehand and configure its recurrence time and observable parameters.
- Export playbooks allow parameter customization for each entity type via the Logic App Designer to tailor data sent to the TISC Add observables API.
- The IncidentEnrichment playbook parameters can also be customized to control the data fetched from TISC Observables API.
Running Playbooks
- ImportObservablesBatch: Runs automatically on a schedule based on its configured recurrence trigger.
- Export Playbooks: Trigger these manually on Sentinel incidents or specific entities (file hash, domain, IP, URL) via the Run Playbook option under Incident Actions or entity context menus.
- IncidentEnrichment: Manually run from Incident Actions on a Sentinel incident to enrich it with TISC data.
These playbooks streamline threat intelligence workflows by automating data exchange and enrichment between ServiceNow TISC and Microsoft Sentinel, enabling faster and more informed incident response.
This section describes the playbook templates that are shipped with TISC Sentinel solution.
| Use case | Playbook | Description |
|---|---|---|
| Importing Observables from TISC to Sentinel | Batch_Indicator_Uploader | Provides batching mechanism for exporting observables from TISC using Upload Indicators API provided by Microsoft Sentinel. |
| Import_Observables_Batch | Enables scheduled export of observables from TISC. | |
| Export entities from Sentinel to TISC | Export_Incident_Entities | Export all entities of a Sentinel incident. |
| Export_Hash_Entity | Export file hash entities of Sentinel incident. | |
| Export_Domain_Entity entities | Export domain entities of Sentinel incident. | |
| Export_IP_Entity | Export IP entities of Sentinel incident. | |
| Export_URL_Entity | Export URL entities of Sentinel incident. | |
| Enrich Sentinel incidents | Incident_Enrichment | Enables enrichment of Sentinel incidents by fetching details related to entities associated with it and posting information in the form of comments on the incident. |
Note:
All the playbooks use TISC Custom Connector internally to use TISC APIs.
Create playbooks from templates
- Navigate to TISC Solution content page from the Content Hub in Sentinel Workspace.
- For each playbook shown in the contents page, do the following:
- Select the playbook template, a context pane is displayed in the right hand side of the screen, click Configuration.
- Read the description of the playbook template, go through the Prerequisites and Post deployment steps mentioned in the description.
- Click on Deploy custom connector (if you haven't already deployed the custom connector).
Add the ServiceNow instance URL on the Deployment Configuration page.
- Click Create Playbook, you would be taken to the deployment configuration screen
- In the Create playbook configuration screen:
- Select the appropriate resource group.
- Modify the playbook name, or use the default name.
- Provide the Custom Connector name (make sure this matches with name of the connector you deployed in previous step) in the Parameters section.
- Click Review and Create.
Configure Import_Observables_Batch playbook
Make sure to create Batch_Indicator_Uploader playbook before the Import_Observables_Batch playbook is created.
- Navigate to to edit the playbook.
- Update the Recurrence time (in hours) as required.
- From the TISC Custom Connector component within the playbook, update the parameters that are sent to TISC API.
Parameter Name Description Observable Type Following are the supported types, select one or more: - IP
- File Hash
- Domain
- URL
Threat Score Enter the threat score for observables. The threat score value MUST be a number in the range of 0-100. Confidence Enter the confidence for observables. The confidence value MUST be a number in the range of 0-100.
Reputation Following are the supported values, select one or more: - Clean
- Malicious
- Suspicious
- Unknown
Threat Severity Following are the supported severity levels, select one or more: - Critical
- High
- Medium
- Low
Threat Level Following are the supported threat levels, select one or more: - High
- Medium
- Low
Last Updated Delta in Hours The last updated time(in hours) for observables.
Configure Export_Incident_Entities playbook
This playbook uses TISC Add observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/add_observables.
You can follow the same procedure for all the below listed playbooks which export different types of entities:
- Export_Hash_Entity
- Export_Domain_Entity
- Export_IP_Entity
- Export_URL_Entity
Configure Incident_Enrichment playbook
This playbook uses TISC Observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/observables.
Run playbooks
The following table describes how you can run the following playbooks.
| Playbook | Action |
|---|---|
| Import_Observables_Batch | This playbook runs automatically based on the scheduled time which is mentioned in the recurrence trigger. |
| Export_Incident_Entities | On a Sentinel incident, select for execution. |
| Export_Hash_Entity | On a Sentinel incident, select for execution. |
| Export_Domain_Entity | On a Sentinel incident, select for execution. |
| Export_IP_Entity | On a Sentinel incident, select for execution. |
| Export_URL_Entity | On a Sentinel incident, select for execution. |
| Incident_Enrichment | On a Sentinel incident, select for execution. |