Reduce threat analysis time using automation
Security incident triage and analysis are necessary steps for weeding out false positives during the threat response process, and for determining how you can best identify, contain, and eliminate security threats.
Triage can include manual steps to ferret out the causes and impacts of threats. By automating many of the steps, you can greatly reduce the time and effort needed to analyze and contain threats. After you have set up automation in your ServiceNow® Security Operations software, you can perform different types of automation. For example, you can automatically enrich observables data when an observable is added to a security incident. Or you can view running processes or obtain network statistics when a CI in your CMDB is added to a security incident. These processes, illustrated below, can save you valuable time during threat analysis.
In this scenario, a malicious file has been detected by the Security Information and Event Management (SIEM) tool your company uses for threat detection. The Security Operations integration with the SIEM causes a security incident to be automatically created based on the type of threat encountered. If the malicious file already contained observables or if the security analyst added new, unexpired observables after the fact, a workflow that enriches the observable records is automatically triggered. The workflow causes the observables to be scanned, and the hash and IP address of the party who sent the file are added to the security incident.
During triage, the analyst may observe that configuration items (CI) contained in the company's CMDB may have been affected by the intrusion. The analyst therefore adds the CIs to the security incident. When the security incident is saved, two other workflows are executed and network statistics and running processes related to the CIs are instantly added to the security incident.
Prepare for Threat Intelligence automation
Before Threat Intelligence automation can be used in the threat response process, you must complete a few preliminary setup steps. When setup is complete, the workflows automatically run with little or no user assistance.
Vorbereitungen
Prozedur
-
When the MID Servers are up and running, ensure the integration capability
implementation that you are using (VirusTotal, for example) is active for the
Threat Lookup capability.
The Threat Lookup capability performs lookups to determine whether one or more observables are associated with known security threats.
-
Click Threat Lookup and scroll down to the
Integration Capability Implementation related list.
-
Click Threat Lookup and scroll down to the
Integration Capability Implementation related list.
Automatically enrich observables data
After you have prepared for Threat Intelligence automation, and added new or unexpired Indicators of Compromise (IoC) to a security incident, the Threat Intelligence – Run IoC lookup workflow executes automatically.
The workflow activities extract information from the IoCs, including the hash of the suspicious file and the originating IP address with no user intervention.
- The Populate lookup with observable activity attempts to find an
existing observable for a lookup that matches the value and type of the lookup provided to the
activity as input.
- If an observable that matches the inputs is found, the Perform IoC Lookup activity causes a lookup to be performed on the record's ScanID.
- If an observable is found and is not expired, the lookup is not performed and the lookup results in the security incident are updated with information from the observable. For more information, see Populate lookup with observable activity.
- When an IoC lookup is performed, the following four activities first retrieve information
from the enrichment data map. Enrichment Data
Mapping transforms data from XML, JSON, or properties files to ServiceNow records.
Next, they verify whether a parent security incident exists. If so, an observable is created
and enriched. If not, the existing observable is enriched. For more information, see Update observable with lookup result activity.
- Get enrichment data Mapping
- Check parent incident exists
- Create Enrichment Data records
- Create Enrichment Data for Record
- After the data enrichment is complete, the Update observable with lookup results activity updates the observables in the security incident and writes the results to the Threat Lookup Results related list.
Automatically obtain network statistics and running processes
If you add a configuration item (CI) with a fully qualified Windows domain name (FQDM) that is found in the CMDB to a security incident, additional workflows run to provide network statistics and running processes.
Vorbereitungen
Prozedur
-
Add a CI to the security incident.
The following two workflows are executed in parallel.
- Security Operations - Get Running Processes Flow: This workflow retrieves a list of running processes on a
configuration item (CI) from a host. Use it to fulfill an integration,
such as Carbon Black, or for a Windows-based security incident. When the workflow completes, running processes are shown in the Running Processes related list in the security incident.
Abbildung : 3. Running Processes - Security Operations Integrations - Get Network Statistics flow: This workflow retrieves a list of active network connections from a
host or endpoint. When When the workflow completes, network statistics are shown in the Network Statistics related list in the security incident.
Abbildung : 4. Network Statistics
- Security Operations - Get Running Processes Flow: This workflow retrieves a list of running processes on a
configuration item (CI) from a host. Use it to fulfill an integration,
such as Carbon Black, or for a Windows-based security incident.