Reduce threat analysis time using automation

  • Freigeben Version: Australia
  • Aktualisiert 12. März 2026
  • 4 Minuten Lesedauer

    • Security incident triage and analysis are necessary steps for weeding out false positives during the threat response process, and for determining how you can best identify, contain, and eliminate security threats.

    Triage can include manual steps to ferret out the causes and impacts of threats. By automating many of the steps, you can greatly reduce the time and effort needed to analyze and contain threats. After you have set up automation in your ServiceNow® Security Operations software, you can perform different types of automation. For example, you can automatically enrich observables data when an observable is added to a security incident. Or you can view running processes or obtain network statistics when a CI in your CMDB is added to a security incident. These processes, illustrated below, can save you valuable time during threat analysis.

    Threat Intelligence automation

    In this scenario, a malicious file has been detected by the Security Information and Event Management (SIEM) tool your company uses for threat detection. The Security Operations integration with the SIEM causes a security incident to be automatically created based on the type of threat encountered. If the malicious file already contained observables or if the security analyst added new, unexpired observables after the fact, a workflow that enriches the observable records is automatically triggered. The workflow causes the observables to be scanned, and the hash and IP address of the party who sent the file are added to the security incident.

    During triage, the analyst may observe that configuration items (CI) contained in the company's CMDB may have been affected by the intrusion. The analyst therefore adds the CIs to the security incident. When the security incident is saved, two other workflows are executed and network statistics and running processes related to the CIs are instantly added to the security incident.

    Prepare for Threat Intelligence automation

    Before Threat Intelligence automation can be used in the threat response process, you must complete a few preliminary setup steps. When setup is complete, the workflows automatically run with little or no user assistance.

    Vorbereitungen

    Role required: admin

    Prozedur

    1. Download the Security Incident Response and Threat Intelligence applications from the ServiceNow Store.
    2. Install one or more MID Servers, and configure service credentials for each of them.
    3. When the MID Servers are up and running, ensure the integration capability implementation that you are using (VirusTotal, for example) is active for the Threat Lookup capability.
      The Threat Lookup capability performs lookups to determine whether one or more observables are associated with known security threats.
      1. Navigate to Security Operations > Integrations > Integration Capabilities.
      2. Click Threat Lookup and scroll down to the Integration Capability Implementation related list.
        VirusTotal capability
      3. Locate the implementation you want to use and verify that the Active column shows true.
      4. If the implementation is not active, click the implementation Name, click to select the Active check box, and click Update.

    Automatically enrich observables data

    After you have prepared for Threat Intelligence automation, and added new or unexpired Indicators of Compromise (IoC) to a security incident, the Threat Intelligence – Run IoC lookup workflow executes automatically.

    The workflow activities extract information from the IoCs, including the hash of the suspicious file and the originating IP address with no user intervention.

    Abbildung : 1. Automatically enrich observables data
    Threat Intelligence - Run IoC lookup workflow
    Hinweis:
    You can also run the lookup manually by selecting one or more observables already attached to the security incident and selecting Run Threat Lookup from the Actions on selected rows choice list.
    The workflow performs the following activities:
    1. The Populate lookup with observable activity attempts to find an existing observable for a lookup that matches the value and type of the lookup provided to the activity as input.
      1. If an observable that matches the inputs is found, the Perform IoC Lookup activity causes a lookup to be performed on the record's ScanID.
      2. If an observable is found and is not expired, the lookup is not performed and the lookup results in the security incident are updated with information from the observable. For more information, see Populate lookup with observable activity.
    2. When an IoC lookup is performed, the following four activities first retrieve information from the enrichment data map. Enrichment Data Mapping transforms data from XML, JSON, or properties files to ServiceNow records. Next, they verify whether a parent security incident exists. If so, an observable is created and enriched. If not, the existing observable is enriched. For more information, see Update observable with lookup result activity.
      • Get enrichment data Mapping
      • Check parent incident exists
      • Create Enrichment Data records
      • Create Enrichment Data for Record
    3. After the data enrichment is complete, the Update observable with lookup results activity updates the observables in the security incident and writes the results to the Threat Lookup Results related list.
    Abbildung : 2. Threat Lookup Results
    Threat lookup results

    Automatically obtain network statistics and running processes

    If you add a configuration item (CI) with a fully qualified Windows domain name (FQDM) that is found in the CMDB to a security incident, additional workflows run to provide network statistics and running processes.

    Vorbereitungen

    Role required: admin

    Prozedur

    1. Using the Discovery module, populate the CMDB with Windows domain names.
      Hinweis:
      If you do not subscribe to the ServiceNow Discovery module, you must populate your CMDB manually, or use a third-party Discovery-type product.
    2. Add a CI to the security incident.
      The following two workflows are executed in parallel.
      • Security Operations - Get Running Processes Flow: This workflow retrieves a list of running processes on a configuration item (CI) from a host. Use it to fulfill an integration, such as Carbon Black, or for a Windows-based security incident.
        Security Operations - Get Running Processes workflow
        When the workflow completes, running processes are shown in the Running Processes related list in the security incident.
        Abbildung : 3. Running Processes
        Get running processes
      • Security Operations Integrations - Get Network Statistics flow: This workflow retrieves a list of active network connections from a host or endpoint. When
        Security Operations - Get Network Statistics workflow
        When the workflow completes, network statistics are shown in the Network Statistics related list in the security incident.
        Abbildung : 4. Network Statistics
        Get network statistics