Hybrid Analysis permits access to threat intelligence from an open online community in which users analyze files and URLs for threats. Users share results and utilize research for more effective incident responses. When integrated with ServiceNow Security Operations, the threat intelligence results provide additional insight for security incidents or investigations.
- Automatic threat intelligence lookups on file hashes, IP addresses, and URLs run upon incident creation.
- After the application is configured, the workflow launches automatically, and the Hybrid Analysis lookup execution and completion status are recorded in work notes on the Security Incident form.
- Observables can be looked up manually by attaching them to the Security Incident form and launching workflows.
- Results are displayed under the Threat Lookup Results tab at the bottom of the Security Incident form. Child observables and raw Hybrid Analysis lookup details are displayed in the Show IOC link under Related Links.
Changed:
- Migrated workflows to flow designer.
Plugins
The following plugin for Threat Intelligence must be installed and activated:
- com.snc.threat.intelligence plugin for Threat Intelligence
The following Security Incident Response plugins must be installed and activated:
- com.snc.security_support.common
- com.snc.security_incident
- com.snc.intel_sharing.client
- com.snc.secops.orchestration
- com.snc.threat
Permissions and roles
- Role required: System Admin (admin) or Security Admin (sn_si.admin)
Workflow
The security operations integrations capabilities framework, used with the Hybrid Analysis integration, provides a high-level workflow independent from the integration vendor. The workflow performs threat intelligence lookups on selected observables, specifically file hashes, IP addresses, and URLs. The application checks for new observables as they arrive in security incidents. If the observables are of a type recognized by the Hybrid Analysis API integration, the observables are evaluated.
Components created by the application
Default Hybrid Analysis lookup workflow:
- Threat Lookup–Hybrid Analysis
List of scripts include:
- HybridAnalysisThreatLookupImplementation