ThreatStream provides a bidirectional integration with ServiceNow, which enables users to easily make use of ThreatStream’s enriched and contextualized database of threat intelligence as part of their Incident Response workflow. Features include:
- Create or update ServiceNow security incidents from ThreatStream investigations, including observable details, descriptions and associations like Threat Actors, Campaigns and more.
- Create or update ThreatStream investigations from ServiceNow security incidents, including descriptions, priority, associated observables.
- Export observables from ServiceNow to ThreatStream for inclusion in other investigations, workflows, and for downstream dissemination to other security tools.
- When new observables are added to an incident, ServiceNow will automatically carry out Threat Lookup and Observable Enrichment against these observables.
- Add ThreatStream as a Threat Lookup source, enabling ServiceNow observables to be marked as Malicious based on their corresponding confidence score in ThreatStream.
- Enrich ServiceNow Observables with actionable threat intel data from ThreatStream to provide additional context.
- Observables within ServiceNow can be exported to ThreatStream, allowing for quick sharing of intelligence between the two platforms
- Create or Update ThreatStream Investigation's from ServiceNow Security Incidents with the click of a button.
-
ServiceNow Integration v1.3.08 adds a new Status column in the ThreatStream Enrichment Results table, allowing you to view the status of observables. The Status column is not displayed by default and can be added manually through the Personalize List Columns setting.
Product:
- Security Operations
Plugins:
- Security Incident Response
- Threat Intelligence
- Threat Intelligence Support Common
Permissions:
- sn_si.basic
- sn_ti.read
- snc_platform_rest_api_access (required for cases when Table API ACL is active)
- Anomali ThreatStream account