TISC playbook templates

  • Release version: Washingtondc
  • Updated January 22, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TISC Playbook Templates Integrating Threat Intelligence Security Center

    This document outlines the playbook templates included with the TISC Sentinel solution, providing an overview of their functionalities and steps for deployment. It enables ServiceNow customers to effectively manage threat intelligence and enrich incident responses through automated playbooks.

    Show full answer Show less

    Key Features

    • Importing Observables: Facilitates exporting observables from TISC to Sentinel using the BatchIndicatorUploader and ImportObservablesBatch playbooks.
    • Exporting Incident Entities: Allows exporting various entities associated with Sentinel incidents, such as file hashes, domains, IPs, and URLs.
    • Incident Enrichment: Enhances Sentinel incidents by fetching and posting relevant details about associated entities.
    • TISC Custom Connector: All playbooks utilize the TISC Custom Connector to interface with TISC APIs.

    Key Outcomes

    By deploying these playbook templates, customers can automate the import and export of threat intelligence data, streamline incident management processes, and enrich incident details, ultimately improving their security operations and response times.

    Next Steps

    • Access the TISC Solution content page in the Sentinel Workspace to select and configure playbooks.
    • Follow the prerequisites and deployment steps for each playbook, ensuring the TISC Custom Connector is deployed.
    • Edit playbooks as necessary in the Logic App Designer, customizing parameters based on your organization's needs.
    • Run playbooks according to the specified actions within the Sentinel incident management interface.

    This section describes the playbook templates that are shipped with TISC Sentinel solution.

    Table 1. Playbook use casesThe following table describes the various playbook use cases.
    Use case Playbook Description
    Importing Observables from TISC to Sentinel Batch_Indicator_Uploader Provides batching mechanism for exporting observables from TISC using Upload Indicators API provided by Microsoft Sentinel.
    Import_Observables_Batch Enables scheduled export of observables from TISC.
    Export entities from Sentinel to TISC Export_Incident_Entities Export all entities of a Sentinel incident.
    Export_Hash_Entity Export file hash entities of Sentinel incident.
    Export_Domain_Entity entities Export domain entities of Sentinel incident.
    Export_IP_Entity Export IP entities of Sentinel incident.
    Export_URL_Entity Export URL entities of Sentinel incident.
    Enrich Sentinel incidents Incident_Enrichment Enables enrichment of Sentinel incidents by fetching details related to entities associated with it and posting information in the form of comments on the incident.
    Note:
    All the playbooks use TISC Custom Connector internally to use TISC APIs.

    Create playbooks from templates

    1. Navigate to TISC Solution content page from the Content Hub in Sentinel Workspace.
    2. For each playbook shown in the contents page, do the following:
      1. Select the playbook template, a context pane is displayed in the right hand side of the screen, click Configuration.
      2. Read the description of the playbook template, go through the Prerequisites and Post deployment steps mentioned in the description.
      3. Click on Deploy custom connector (if you haven't already deployed the custom connector).

        Add the ServiceNow instance URL on the Deployment Configuration page.

      4. Click Create Playbook, you would be taken to the deployment configuration screen
      5. In the Create playbook configuration screen:
        • Select the appropriate resource group.
        • Modify the playbook name, or use the default name.
        • Provide the Custom Connector name (make sure this matches with name of the connector you deployed in previous step) in the Parameters section.
        • Click Review and Create.

    Configure Import_Observables_Batch playbook

    Make sure to create Batch_Indicator_Uploader playbook before the Import_Observables_Batch playbook is created.
    1. Navigate to Logic App Designer to edit the playbook.
    2. Update the Recurrence time (in hours) as required.
    3. From the TISC Custom Connector component within the playbook, update the parameters that are sent to TISC API.
      Parameter Name Description
      Observable Type Following are the supported types, select one or more:
      • IP
      • File Hash
      • Domain
      • URL
      Threat Score Enter the threat score for observables. The threat score value MUST be a number in the range of 0-100.
      Confidence Enter the confidence for observables.

      The confidence value MUST be a number in the range of 0-100.
      Reputation Following are the supported values, select one or more:
      • Clean
      • Malicious
      • Suspicious
      • Unknown
      Threat Severity Following are the supported severity levels, select one or more:
      • Critical
      • High
      • Medium
      • Low
      Threat Level Following are the supported threat levels, select one or more:
      • High
      • Medium
      • Low
      Last Updated Delta in Hours The last updated time(in hours) for observables.

    Configure Export_Incident_Entities playbook

    This playbook uses TISC Add observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/add_observables.

    You can follow the same procedure for all the below listed playbooks which export different types of entities:
    • Export_Hash_Entity
    • Export_Domain_Entity
    • Export_IP_Entity
    • Export_URL_Entity

    Configure Incident_Enrichment playbook

    This playbook uses TISC Observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/observables.

    Run playbooks

    The following table describes how you can run the following playbooks.
    Playbook Action
    Import_Observables_Batch This playbook runs automatically based on the scheduled time which is mentioned in the recurrence trigger.
    Export_Incident_Entities On a Sentinel incident, select Incident Actions > Run Playbook for execution.
    Export_Hash_Entity On a Sentinel incident, select File hash entity > Run Playbook for execution.
    Export_Domain_Entity On a Sentinel incident, select Domain entity > Run Playbook for execution.
    Export_IP_Entity On a Sentinel incident, select IP entity > Run Playbook for execution.
    Export_URL_Entity On a Sentinel incident, select URL entity > Run Playbook for execution.
    Incident_Enrichment On a Sentinel incident, select Incident Actions > Run Playbook for execution.