ThreatStream provides a bidirectional integration with ServiceNow, which enables users to easily make use of ThreatStream’s enriched and contextualized database of threat intelligence as part of their Incident Response workflow. Features include:
- Create or update ServiceNow security incidents from ThreatStream investigations, including observable details, descriptions and associations like Threat Actors, Campaigns and more.
- Create or update ThreatStream investigations from ServiceNow security incidents, including descriptions, priority, associated observables.
- Export observables from ServiceNow to ThreatStream for inclusion in other investigations, workflows, and for downstream dissemination to other security tools.
- When new observables are added to an incident, ServiceNow will automatically carry out Threat Lookup and Observable Enrichment against these observables.
- Add ThreatStream as a Threat Lookup source, enabling ServiceNow observables to be marked as Malicious based on their corresponding confidence score in ThreatStream.
- Enrich ServiceNow Observables with actionable threat intel data from ThreatStream to provide additional context.
- Observables within ServiceNow can be exported to ThreatStream, allowing for quick sharing of intelligence between the two platforms
- Create or Update ThreatStream Investigation's from ServiceNow Security Incidents with the click of a button.
-
ServiceNow Integration v1.3.07 fixes an issue in the previous version.
-
INTS-12989: There was an issue with Threat Lookup that returned incorrect results for observables whose value contained spaces. FIX: This issue is fixed in this version.
-
Product:
- Security Operations
Plugins:
- Security Incident Response
- Threat Intelligence
- Threat Intelligence Support Common
Permissions:
- sn_si.basic
- sn_ti.read
- snc_platform_rest_api_access (required for cases when Table API ACL is active)