TISC playbook templates

  • Release version: Xanadu
  • Updated January 22, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of TISC playbook templates

    The TISC playbook templates are pre-built automation workflows designed for integration between TISC Sentinel and Microsoft Sentinel. These playbooks facilitate importing and exporting observables and entities, as well as enriching Sentinel incidents with relevant threat intelligence data. All playbooks leverage the TISC Custom Connector to interact with TISC APIs.

    Show full answer Show less

    Playbook Use Cases

    • Importing Observables: Automate batching and scheduled export of observables from TISC to Sentinel using BatchIndicatorUploader and ImportObservablesBatch playbooks.
    • Exporting Entities: Export all or specific entities (file hash, domain, IP, URL) from Sentinel incidents to TISC using respective playbooks like ExportIncidentEntities and entity-specific export playbooks.
    • Incident Enrichment: Enrich Sentinel incidents by fetching detailed information on associated entities and posting this data as comments on the incident via the IncidentEnrichment playbook.

    Creating Playbooks from Templates

    ServiceNow customers using Sentinel can create playbooks by navigating to the TISC Solution content page within the Sentinel Content Hub. Key steps include:

    • Selecting a playbook template and reviewing its description, prerequisites, and post-deployment steps.
    • Deploying the TISC Custom Connector if not already deployed, including adding the ServiceNow instance URL.
    • Configuring playbook parameters such as resource group, playbook name, and connector name before deployment.

    Configuring Playbooks

    • ImportObservablesBatch: Requires prior creation of BatchIndicatorUploader. Configure recurrence timing and parameters like observable types, threat score, confidence, reputation, threat severity, threat level, and last update delta hours.
    • Export Playbooks: Configure parameters sent to the TISC Add Observables API via the Logic App Designer for all export playbooks (incident entities, file hash, domain, IP, URL).
    • IncidentEnrichment: Configure parameters sent to the TISC Observables API to enrich incidents with detailed entity information.

    Running Playbooks

    • ImportObservablesBatch runs automatically on a scheduled recurrence trigger.
    • Export playbooks and IncidentEnrichment are manually triggered from within Sentinel on relevant incidents or entities via the "Run Playbook" action.

    This section describes the playbook templates that are shipped with TISC Sentinel solution.

    Table 1. Playbook use casesThe following table describes the various playbook use cases.
    Use case Playbook Description
    Importing Observables from TISC to Sentinel Batch_Indicator_Uploader Provides batching mechanism for exporting observables from TISC using Upload Indicators API provided by Microsoft Sentinel.
    Import_Observables_Batch Enables scheduled export of observables from TISC.
    Export entities from Sentinel to TISC Export_Incident_Entities Export all entities of a Sentinel incident.
    Export_Hash_Entity Export file hash entities of Sentinel incident.
    Export_Domain_Entity entities Export domain entities of Sentinel incident.
    Export_IP_Entity Export IP entities of Sentinel incident.
    Export_URL_Entity Export URL entities of Sentinel incident.
    Enrich Sentinel incidents Incident_Enrichment Enables enrichment of Sentinel incidents by fetching details related to entities associated with it and posting information in the form of comments on the incident.
    Note:
    All the playbooks use TISC Custom Connector internally to use TISC APIs.

    Create playbooks from templates

    1. Navigate to TISC Solution content page from the Content Hub in Sentinel Workspace.
    2. For each playbook shown in the contents page, do the following:
      1. Select the playbook template, a context pane is displayed in the right hand side of the screen, click Configuration.
      2. Read the description of the playbook template, go through the Prerequisites and Post deployment steps mentioned in the description.
      3. Click on Deploy custom connector (if you haven't already deployed the custom connector).

        Add the ServiceNow instance URL on the Deployment Configuration page.

      4. Click Create Playbook, you would be taken to the deployment configuration screen
      5. In the Create playbook configuration screen:
        • Select the appropriate resource group.
        • Modify the playbook name, or use the default name.
        • Provide the Custom Connector name (make sure this matches with name of the connector you deployed in previous step) in the Parameters section.
        • Click Review and Create.

    Configure Import_Observables_Batch playbook

    Make sure to create Batch_Indicator_Uploader playbook before the Import_Observables_Batch playbook is created.
    1. Navigate to Logic App Designer to edit the playbook.
    2. Update the Recurrence time (in hours) as required.
    3. From the TISC Custom Connector component within the playbook, update the parameters that are sent to TISC API.
      Parameter Name Description
      Observable Type Following are the supported types, select one or more:
      • IP
      • File Hash
      • Domain
      • URL
      Threat Score Enter the threat score for observables. The threat score value MUST be a number in the range of 0-100.
      Confidence Enter the confidence for observables.

      The confidence value MUST be a number in the range of 0-100.
      Reputation Following are the supported values, select one or more:
      • Clean
      • Malicious
      • Suspicious
      • Unknown
      Threat Severity Following are the supported severity levels, select one or more:
      • Critical
      • High
      • Medium
      • Low
      Threat Level Following are the supported threat levels, select one or more:
      • High
      • Medium
      • Low
      Last Updated Delta in Hours The last updated time(in hours) for observables.

    Configure Export_Incident_Entities playbook

    This playbook uses TISC Add observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/add_observables.

    You can follow the same procedure for all the below listed playbooks which export different types of entities:
    • Export_Hash_Entity
    • Export_Domain_Entity
    • Export_IP_Entity
    • Export_URL_Entity

    Configure Incident_Enrichment playbook

    This playbook uses TISC Observables API. Using the Logic App Designer, you can edit the parameters that are sent to the API from the playbook. For more information see TISC API - POST /sn_sec_tisc/threat_intel_data/observables.

    Run playbooks

    The following table describes how you can run the following playbooks.
    Playbook Action
    Import_Observables_Batch This playbook runs automatically based on the scheduled time which is mentioned in the recurrence trigger.
    Export_Incident_Entities On a Sentinel incident, select Incident Actions > Run Playbook for execution.
    Export_Hash_Entity On a Sentinel incident, select File hash entity > Run Playbook for execution.
    Export_Domain_Entity On a Sentinel incident, select Domain entity > Run Playbook for execution.
    Export_IP_Entity On a Sentinel incident, select IP entity > Run Playbook for execution.
    Export_URL_Entity On a Sentinel incident, select URL entity > Run Playbook for execution.
    Incident_Enrichment On a Sentinel incident, select Incident Actions > Run Playbook for execution.