TISC playbook templates
Summarize
Summary of TISC Playbook Templates
The TISC Sentinel solution provides playbook templates designed to streamline the management of observables and incident enrichment within Microsoft Sentinel. These templates facilitate the import and export of various entities and enhance incident details through automated processes.
Show less
Key Features
- Importing Observables:
- BatchIndicatorUploader: Exports observables from TISC in batches.
- ImportObservablesBatch: Schedules the export of observables from TISC.
- Exporting Entities:
- ExportIncidentEntities: Exports all entities associated with a Sentinel incident.
- ExportHashEntity: Exports file hash entities.
- ExportDomainEntity: Exports domain entities.
- ExportIPEntity: Exports IP entities.
- ExportURLEntity: Exports URL entities.
- Incident Enrichment:
- IncidentEnrichment: Enriches Sentinel incidents with additional details about associated entities.
Key Outcomes
By implementing these playbooks, ServiceNow customers can effectively manage observables, automate incident response, and enhance the quality of incident data. Customers can expect streamlined operations, improved threat intelligence management, and more efficient incident handling through the use of these templates.
Next Steps
To create and configure playbooks from the templates, navigate to the TISC Solution content page in the Sentinel Workspace. Follow the necessary steps to deploy the custom connector and configure each playbook according to specific parameters. Ensure to run the playbooks as needed based on the desired action for each incident.
This section describes the playbook templates that are shipped with TISC Sentinel solution.
| Use case | Playbook | Description |
|---|---|---|
| Importing Observables from TISC to Sentinel | Batch_Indicator_Uploader | Provides batching mechanism for exporting observables from TISC using Upload Indicators API provided by Microsoft Sentinel. |
| Import_Observables_Batch | Enables scheduled export of observables from TISC. | |
| Export entities from Sentinel to TISC | Export_Incident_Entities | Export all entities of a Sentinel incident. |
| Export_Hash_Entity | Export file hash entities of Sentinel incident. | |
| Export_Domain_Entity entities | Export domain entities of Sentinel incident. | |
| Export_IP_Entity | Export IP entities of Sentinel incident. | |
| Export_URL_Entity | Export URL entities of Sentinel incident. | |
| Enrich Sentinel incidents | Incident_Enrichment | Enables enrichment of Sentinel incidents by fetching details related to entities associated with it and posting information in the form of comments on the incident. |
Create playbooks from templates
- Navigate to TISC Solution content page from the Content Hub in Sentinel Workspace.
- For each playbook shown in the contents page, do the following:
- Select the playbook template, a context pane is displayed in the right hand side of the screen, click Configuration.
- Read the description of the playbook template, go through the Prerequisites and Post deployment steps mentioned in the description.
- Click on Deploy custom connector (if you haven't already deployed the custom connector).
Add the ServiceNow instance URL on the Deployment Configuration page.
- Click Create Playbook, you would be taken to the deployment configuration screen
- In the Create playbook configuration screen:
- Select the appropriate resource group.
- Modify the playbook name, or use the default name.
- Provide the Custom Connector name (make sure this matches with name of the connector you deployed in previous step) in the Parameters section.
- Click Review and Create.
Configure Import_Observables_Batch playbook
- Navigate to to edit the playbook.
- Update the Recurrence time (in hours) as required.
- From the TISC Custom Connector component within the playbook, update the parameters that are sent to TISC API.
Parameter Name Description Observable Type Following are the supported types, select one or more: - IP
- File Hash
- Domain
- URL
Threat Score Enter the threat score for observables. The threat score value MUST be a number in the range of 0-100. Confidence Enter the confidence for observables. The confidence value MUST be a number in the range of 0-100.
Reputation Following are the supported values, select one or more: - Clean
- Malicious
- Suspicious
- Unknown
Threat Severity Following are the supported severity levels, select one or more: - Critical
- High
- Medium
- Low
Threat Level Following are the supported threat levels, select one or more: - High
- Medium
- Low
Last Updated Delta in Hours The last updated time(in hours) for observables.
Configure Export_Incident_Entities playbook
This playbook uses TISC Add observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/add_observables.
- Export_Hash_Entity
- Export_Domain_Entity
- Export_IP_Entity
- Export_URL_Entity
Configure Incident_Enrichment playbook
This playbook uses TISC Observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/observables.
Run playbooks
| Playbook | Action |
|---|---|
| Import_Observables_Batch | This playbook runs automatically based on the scheduled time which is mentioned in the recurrence trigger. |
| Export_Incident_Entities | On a Sentinel incident, select for execution. |
| Export_Hash_Entity | On a Sentinel incident, select for execution. |
| Export_Domain_Entity | On a Sentinel incident, select for execution. |
| Export_IP_Entity | On a Sentinel incident, select for execution. |
| Export_URL_Entity | On a Sentinel incident, select for execution. |
| Incident_Enrichment | On a Sentinel incident, select for execution. |