TISC playbook templates

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TISC playbook templates

    The TISC playbook templates, included with the TISC Sentinel solution, enable ServiceNow customers to efficiently integrate and automate threat intelligence workflows between TISC and Microsoft Sentinel. These playbooks facilitate importing observables into Sentinel, exporting incident entities back to TISC, and enriching Sentinel incidents with additional intelligence, all leveraging the TISC Custom Connector to interact with TISC APIs.

    Show full answer Show less

    Key Features

    • Importing Observables:
      • BatchIndicatorUploader: Batches and uploads observables from TISC to Sentinel using Microsoft Sentinel’s Upload Indicators API.
      • ImportObservablesBatch: Enables scheduled export of observables from TISC with configurable recurrence.
    • Exporting Entities from Sentinel to TISC: Playbooks to export different entity types associated with Sentinel incidents, including:
      • Incident entities
      • File hash entities
      • Domain entities
      • IP entities
      • URL entities
    • Incident Enrichment: Enrich Sentinel incidents by fetching detailed information about associated entities and posting it as comments on the incident.
    • Custom Connector Dependency: All playbooks utilize the TISC Custom Connector to communicate with TISC APIs, requiring deployment and configuration with the ServiceNow instance URL.

    Configuration and Deployment

    • Create playbooks from the TISC Solution content page in Sentinel’s Content Hub by selecting templates and deploying the TISC Custom Connector if not already done.
    • During playbook creation, configure parameters such as resource group, playbook name, and Custom Connector name.
    • ImportObservablesBatch requires prior creation of BatchIndicatorUploader and allows customization of parameters like observable types (IP, file hash, domain, URL), threat score, confidence, reputation, threat severity and level, and last updated delta time.
    • Export playbooks can be customized via Logic App Designer to modify parameters sent to TISC’s Add Observables API.
    • The Incident Enrichment playbook can be configured to adjust parameters sent to the TISC Observables API.

    Running Playbooks

    • ImportObservablesBatch: Runs automatically on a scheduled recurrence defined in the playbook trigger.
    • Export playbooks and Incident Enrichment: Manually executed on Sentinel incidents or specific incident entities via the Sentinel UI by selecting “Run Playbook” under Incident Actions or entity-specific actions.

    This section describes the playbook templates that are shipped with TISC Sentinel solution.

    Table 1. Playbook use casesThe following table describes the various playbook use cases.
    Use case Playbook Description
    Importing Observables from TISC to Sentinel Batch_Indicator_Uploader Provides batching mechanism for exporting observables from TISC using Upload Indicators API provided by Microsoft Sentinel.
    Import_Observables_Batch Enables scheduled export of observables from TISC.
    Export entities from Sentinel to TISC Export_Incident_Entities Export all entities of a Sentinel incident.
    Export_Hash_Entity Export file hash entities of Sentinel incident.
    Export_Domain_Entity entities Export domain entities of Sentinel incident.
    Export_IP_Entity Export IP entities of Sentinel incident.
    Export_URL_Entity Export URL entities of Sentinel incident.
    Enrich Sentinel incidents Incident_Enrichment Enables enrichment of Sentinel incidents by fetching details related to entities associated with it and posting information in the form of comments on the incident.
    Note:
    All the playbooks use TISC Custom Connector internally to use TISC APIs.

    Create playbooks from templates

    1. Navigate to TISC Solution content page from the Content Hub in Sentinel Workspace.
    2. For each playbook shown in the contents page, do the following:
      1. Select the playbook template, a context pane is displayed in the right hand side of the screen, click Configuration.
      2. Read the description of the playbook template, go through the Prerequisites and Post deployment steps mentioned in the description.
      3. Click on Deploy custom connector (if you haven't already deployed the custom connector).

        Add the ServiceNow instance URL on the Deployment Configuration page.

      4. Click Create Playbook, you would be taken to the deployment configuration screen
      5. In the Create playbook configuration screen:
        • Select the appropriate resource group.
        • Modify the playbook name, or use the default name.
        • Provide the Custom Connector name (make sure this matches with name of the connector you deployed in previous step) in the Parameters section.
        • Click Review and Create.

    Configure Import_Observables_Batch playbook

    Make sure to create Batch_Indicator_Uploader playbook before the Import_Observables_Batch playbook is created.
    1. Navigate to Logic App Designer to edit the playbook.
    2. Update the Recurrence time (in hours) as required.
    3. From the TISC Custom Connector component within the playbook, update the parameters that are sent to TISC API.
      Parameter Name Description
      Observable Type Following are the supported types, select one or more:
      • IP
      • File Hash
      • Domain
      • URL
      Threat Score Enter the threat score for observables. The threat score value MUST be a number in the range of 0-100.
      Confidence Enter the confidence for observables.

      The confidence value MUST be a number in the range of 0-100.
      Reputation Following are the supported values, select one or more:
      • Clean
      • Malicious
      • Suspicious
      • Unknown
      Threat Severity Following are the supported severity levels, select one or more:
      • Critical
      • High
      • Medium
      • Low
      Threat Level Following are the supported threat levels, select one or more:
      • High
      • Medium
      • Low
      Last Updated Delta in Hours The last updated time(in hours) for observables.

    Configure Export_Incident_Entities playbook

    This playbook uses TISC Add observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/add_observables.

    You can follow the same procedure for all the below listed playbooks which export different types of entities:
    • Export_Hash_Entity
    • Export_Domain_Entity
    • Export_IP_Entity
    • Export_URL_Entity

    Configure Incident_Enrichment playbook

    This playbook uses TISC Observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/observables.

    Run playbooks

    The following table describes how you can run the following playbooks.
    Playbook Action
    Import_Observables_Batch This playbook runs automatically based on the scheduled time which is mentioned in the recurrence trigger.
    Export_Incident_Entities On a Sentinel incident, select Incident Actions > Run Playbook for execution.
    Export_Hash_Entity On a Sentinel incident, select File hash entity > Run Playbook for execution.
    Export_Domain_Entity On a Sentinel incident, select Domain entity > Run Playbook for execution.
    Export_IP_Entity On a Sentinel incident, select IP entity > Run Playbook for execution.
    Export_URL_Entity On a Sentinel incident, select URL entity > Run Playbook for execution.
    Incident_Enrichment On a Sentinel incident, select Incident Actions > Run Playbook for execution.