03/05/2018. Istanbul ServiceNow Security Management

Transcription

1 03/05/2018 Security Management

2

3 Contents Contents... 5 Security Incident Response...5 Security Incident Response overview... 5 Set up Security Incident Response...7 Security Incident Response monitoring...31 Security incidents...47 Inbound security requests Lookups and scans Post incident review Security Incident Response Orchestration Components installed with Security Incident Response Content packs for Security Incident Response Vulnerability Response Vulnerability Response overview Set up Vulnerability Response Vulnerability Response monitoring Vulnerability groups Vulnerabilities in the software of configuration items NVD and CWE updates Vulnerability integrations Vulnerability scanners and scans Vulnerability Response Orchestration Components installed with Vulnerability Response Threat Intelligence Set up Threat Intelligence Threat Intelligence monitoring Attack modes and methods Indicators of compromise Observables Threat lookups Threat Intelligence administration Threat Intelligence Orchestration Components installed with Threat Intelligence integrations integration development guidelines IBM QRadar integration Palo Alto Networks Integration Qualys Cloud Platform integration add-on for Splunk integration Tanium integration VirusTotal integration common functionality Create and define filter groups in processing user-defined escalation Create workflow triggers enrichment data mapping field mapping Search orchestration iii

4 Components installed with Security Support Common Index

5 Bring incident data from your security tools into a structured response engine that uses intelligent workflows, automation, and a deep connection with IT to prioritize and resolve threats based on the impact they pose to your organization. Security Incident Response The Security Incident Response application tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review, knowledge base article creation, and closure. Explore Set up Administer Security Incident Response release notes Upgrade to Security Incident Response overview on page 5 Getting started with Security Incident Response (video) Activate Security Incident Response on page 7 Security Incident Response process definition on page 14 Use Develop Security incidents on page 47 Lookups and scans on page 89 Post incident review on page 91 Configure Security Incident Response on page 11 Security Incident Response monitoring on page 31 Integrate Developer training Developer documentation Security Incident Response Orchestration on page 103 Components installed with Security Incident Response on page 129 integrations on page 256 Security Operations integration development guidelines on page 256 Tips for writing integrations on page 263 Troubleshoot and get help Ask or answer questions in the community Search the HI knowledge base for known error articles Contact Support Security Incident Response overview Security Incident Response is often used with vulnerability databases to proactively prevent issues, and track down other systems that can also be vulnerable to attack. A wide range of reporting and tracking systems can be used to detect trends and issues, and gauge your performance. Integrations allow you to use your preferred monitoring tools and link your security incidents to the related systems, users, and business services within your instance. 5

6 To protect your investigations and keep security incidents private, Security Incident Response provides the means to restrict access to the system to specific security-related roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry. Discovery Security incidents can be logged or created in the following ways. From Security Incident form From events that are spawned internally, or created by external monitoring or vulnerability tracking systems via alert rules, or manually From external monitoring or tracking systems directly From the service catalog Analysis Depending on the selected view, you are using (default, NonIT Security, Security ITIL, and so on), the Security Incident form can show any combination of vulnerabilities, incidents, changes, problems, tasks on the affected CI and affected CI groups. The system can identify malware, viruses, and other areas of vulnerability by cross-referencing the National Institute of Standards and Technology (NIST) database, or other third-party detection software. As security incidents are resolved, any incident can be used to create a security knowledge base article for future reference. Further analysis can be performed using the Business Service Management (BSM) map to locate other affected systems or business services that can be infected. Containment, Eradication, and Recovery As you monitor and analyze vulnerabilities, you can create and assign tasks to other departments. You can use the BSM map to create tasks, problems, or changes for all affected systems, documents, activities, SMS messages, bridge calls, and so forth. Review After the incident is resolved, other steps can take place before closure. A post incident review can be performed. Creation of knowledge base articles can help with future similar incidents. Significant incidents can need a post-incident resolution review. This review can take on several forms. For example: conduct a meeting to discuss the incident and gather responses write and distribute incident resolution review questions designed for each category or priority of incident to those teams who worked on the incident incident managers can write the report and gather information on their own An incident resolution review report can be automatically generated that includes: a summary of what was done the timeline the type of security incident encountered all related incidents, changes, problems, tasks, CI groups the details of the resolution 6

7 In addition, an automated security incident resolution review survey system is available. It gathers the names of all users assigned to the security incident, and sends out a customized survey to gather data about the handling of this incident. This data can then be made available in a generated security incident review report, which can be edited into a final draft. Similar data can be added to a knowledge base article to contain lessons learned and the steps to take to resolve similar issues in the future. Security Incident Response Terminology The following terms are used in Security Incident Response. Term Definition Active Any security incident not in the closed or cancelled state. Administrator lockdown The ability to restrict Security Incident Response access to personnel with security-related roles and ACLs. Inbound security requests on page 88 Requests submitted for low-impact security demands, such as requesting a new electronic badge. Post incident review on page 91 A review of the origins and handling of a security incident. The final product is a post incident report, which documents all actions performed and the reasons for doing them. Response tasks Tasks assigned to a security incident for tracking actions in response to the threat. Security incident calculators on page 25 Calculators used to update record values when pre-configured conditions are met. Security incident treemaps Chart type that hierarchically displays security incident data in the form of nested rectangles. Threat lookup A request submitted from the security incident catalog for scanning files, URLs, and IP addresses for malware. Vulnerability scan A request initiated from the Security Incident form for scanning affected resources (servers, computers, and other configuration items) for vulnerabilities. Set up Security Incident Response Prior to using Security Incident Response, perform steps to set up various parts of the system, including an administrator group and one or more security incident groups, SLAs, and severity calculators. Activate Security Incident Response Activate the Security Incident Response plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription. Role required: admin Security Incident Response activates these related plugins if they are not already active. 7

8 Table 1: Plugins for Security Incident Response Plugin Service Management Core Installs the core Service Management items used to allow other service-related plugins to work, such as Field Service, Facilities, HR, Legal, Finance, Marketing and the custom app creator. [com.snc.service_management.core] Task-Outage Relationship [com.snc.task_outage] Tree map [com.snc.treemap] Security Support Orchestration [com.snc.secops.orchestration] Security Incident Response support [com.snc.security_support.sir] WebKit HTML to PDF [com.snc.whtp] Allows users to create an outage from an Incident and a Problem form. Incidents and problems have a many-to-many relationship with outages. Enables support for treemap view on any applications. Provides an integration of with Orchestration to allow the facilitation of workflow activities within Security Incident Response, Threat Intelligence or Vulnerability Response. Provides support functionality for use within the Security Incident Response application. Enables the instance to use the service WebKit HTML to PDF. To purchase a subscription, contact your account manager. After purchasing the subscription, activate the plugin within the production instance Navigate to System Definition > Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. 4. If the plugin has optional features that are not functional because other plugins are inactive, those plugins are listed. A warning states that some files are not installed. If you want the optional features to be installed, cancel this activation, activate the necessary plugins, and then return to activating the plugin. Optional: If available, select the Load demo data check box. Some plugins include demo data sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good policy when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. 8

9 Lock down security administration (optional) To protect investigations and keep security incidents private, you can restrict Security Incident Response access to security-specific roles and ACLs. Non-security administrators can be restricted from access, unless you expressly allow them entry. When the Security Incident Response application is activated, the System Administrator user is granted the sn_si.admin role by default. The System Administrator is the only administrator who can set up security groups and users. A security role is required to have access to Security Incident Response features and records. Role required: sn_si.admin After the Security Incident Response plugin has been activated, a user with the admin role assigns the Security Admin (sn_si.admin) role to at least one user. The user with the admin role changes to the Security Incident scope. Navigate to System Applications > Applications. Click Downloads. Type security in the Search applications field. 9

10 Click Security Incident. Scroll down to the Related Links and click Remove from the role contained by admin. Log out and log back in. The admin user cannot access the Security Incident Response application. 10

11 Configure Security Incident Response If you are an administrator in the global domain, you configure how Security Incident Response handles day-to-day operations. Role required: sn_si.admin Note: These options are standard to many service management applications, and as such, they use service management terminology. For example, Request is used for the main task (that is, the security incident) and Task is used for subtasks or Response Tasks. If you are an administrator in a domain lower than the global domain, you can view the Configurations screen, but cannot modify the settings. 1. Navigate to Security Incident > Administration > Configuration. The options for configuring the applications are organized under these tabs: 2. The Business Process tab contains options for setting up the request life cycle, creating catalogs and requests, and configuring notifications. The Assignment tab contains options for setting up manual and auto-assignment. The Add-ons tab contains options for enabling the knowledge base, managed documents, and task activities. Fill in the fields on the Business process tab. Table 2: Configuration screen - Business Process tab Field Lifecycle Work notes are required to close or cancel a request or task Enable this option to require the user to enter work notes before a security incident or response task can be closed or canceled. Copy task work notes to request Enable this option to synchronize response task work notes with the work notes on the security incident. So when work notes in the task are added, the same work notes appear in the parent security incident. Catalog and Request Creation Create or update Enable this option to create or update security incidents from requests by inbound inbound s. Requests are created using Select catalog or regular form to activate the catalog and enable automatic publishing of security incident templates to the catalog. Select regular form only to deactivate the catalog and disable automatic publishing of security incident templates to the catalog. Templates create a dedicated catalog item Enable this option to activate automatic publishing of catalog items for the application. 11

12 Field Notifications For a request or task, when the selected field changes, send notification to recipients You can configure notifications to be sent to specific recipients when selected fields in security incidents and response tasks change. 1. From Table, select Request (security incident or Task (response task). 2. From Field, select the field to use for generating notifications. When a change is made to the selected field, a notification is sent to the identified recipients. 3. From Recipients, select one or more recipients. 4. If you select a specific user or a specific group, you are prompted to select a user or group. 5. To define more notifications using other fields or recipients, repeat the preceeding steps for the next set of notification settings. 6. To remove a notification, click the notification. 3. symbol to the right of the Click the Assignment tab and fill in the fields. Table 3: Configuration screen - Assignment tab Field Assignment method Select the method for assigning security incidents: for requests using auto-assignment: Security incidents are automatically assigned. using a workflow: Security incidents are assigned by the selected workflow. manually: Security incidents are manually assigned. Use this workflow to Select the workflow for dispatching security incidents. This field assign requests appears when using a workflow is selected from the Assignment method for requests list. Assignment method Select the method for assigning response tasks: for tasks using auto-assignment: Response tasks are automatically assigned. using a workflow: Response tasks are assigned by the selected workflow. manually: Response tasks are manually assigned. Use this workflow to Select the workflow for assigning response tasks. This field appears assign tasks when using a workflow is selected from the Assignment method for tasks list. 12

13 Field Assign requests or tasks based on assignment group coverage areas Enable this option to limit the assignment of security incidents and response tasks to groups that cover the location of the task. Scheduling Auto-selection of Enable this option to consider the time zone of the agent when agents will consider assigning a task. This field appears when auto-assignment is time zone for tasks selected for security incidents or response tasks. Additional Factors Auto-selection of Enable this option to give preference to agents who are closer to the agents will consider task location, when assigning any tasks. This field appears when location of agents auto-assignment is selected for security incidents or response tasks. Auto-selection of agents for tasks requires them to have skills Select the degree to which agent skills must be matched to a task when determining auto-assignment. Select all to require that an assigned agent must have all the skills to perform the task. An agent who lacks even one skill are eliminated. Select some if you want agents who have most of the skills required to perform the task. Select none if you want to auto-assign agents without taking skills into account. This field appears when auto-assignment is selected for security incidents or response tasks. Auto-selection will attempt to assign the same agent to all tasks in a request 4. Enable this option to auto-assign all response tasks for a security incident to the same agent. Click the Add-ons tab and fill in the fields. Table 4: Configuration screen - Add-ons tab Field Documentation 5. Enable a dedicated knowledge base Enable this option to activate the knowledge base for Security Incident Response. Enable managed documents Enable this option to add a related list to managed documents. Enable task activities Enable this option to log task interactions and communications, such as phone calls and messages. Click Save. 13

14 Create a security incident group Set up a security incident group and assign the appropriate roles and users to the group. Roles required: If you have the user_admin role, you can create security incident assignment groups. If you have the sn_si.admin role, you can create and edit security incident assignment groups. Users in a group inherit the roles of the group, so you do not have to assign roles to each user separately. It is a good practice to create as many groups as needed in your organization. It is also a good practice to create one group for administrators and assign the admin role to this group only Navigate to User Administration > Groups or Security Incident > Setup > Groups. Click New. Fill in the fields. Make sure that you select the security incident type for this group. a) If the Type field is not visible, configure the form to add it. b) Click the lock icon beside the Type field. c) Click the reference lookup icon ( d) ) Search for and select the security incident type. Right-click the form header and select Save. In the Roles related list, add the roles that each member of this group receives. For example, if you are making a group for Security Incident Response team members, add sn_si.analyst. If you are making a group for Security Incident Response administrators, add sn_si.admin. In the Group Members related list, add users to this group. Click Update. Security Incident Response process definition Security Incident ResponseProcess Definition replaces state flows and provides end users and service desks with the status of an incident. A process definition helps track the incident through its life cycle. Security Incident Response is a Service Management (SM) application, however, it has its own set of states for both incidents and their tasks. Invalid states are reported as part of Process Selection. Different organizations use different incident response flows. Process Definition was created so you can choose a process or customize an incident response flow to follow established processes. In addition to major process definitions (NIST, SANS) some slight variations were added to help open up the flow. These definitions can be further customized using workflow, client scripts, or business rules. The sn_si.processdefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks. Important upgrade information It is important to note that if you upgrade to from an earlier version of Security Incident Response, none of your state flows are retrieved. Use the procedures in this section to set up process definitions, as needed. 14

15 Security Incident Response Process Definition The default process definition (NIST Stateful) defines the following incident states: Note: Available states vary based on the current state of the incident. Table 5: Security Incident process definitions states State Draft The request initiator adds information about the security incident, but it is not yet ready to be worked on. Analysis The incident has been assigned and the issue is being analyzed. Contain The issue has been identified and the security staff is working to contain it and perform damage control. These actions can include taking servers offline, disconnecting equipment from the Internet, and verifying that backups exist. Eradicate The issue has been contained and the security staff is taking steps to fix the issue. Recover The issue is resolved and the operational readiness of the affected systems is being verified. Review The security incident is complete and all systems are back to normal function, however, a post incident review is still needed. Closed The incident is complete but before a security incident can be closed, you must fill out the information on the Closure Information tab. Security Incident task process definitions The following process definitions are used for security incident tasks. Table 6: Task process definition states State Ready The task is ready to be worked on once it is assigned to an agent. Assigned The task is assigned to an agent. Work In Progress The assigned agent is working on the task. Complete The task is complete. Cancelled The task was canceled. Process Definition provides the following process definitions with the base system: NIST Stateful NIST Open SANS Open Example (If demo data is loaded) 15

16 Create a Security Incident Response process definition You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle. Role required: admin and sn.si_admin Navigate to Security Incident > Administration > Process Definition. Click New. Fill in the fields, as appropriate. Table 7: Creating process definitions 4. Field Name Name of the record which describes the process encoded in the script include file. The name is displayed as a choice in the Process Definition Selector list. Script include The name (including the sn_si. prefix) of the script include containing the definition of the process. The script must be in the Security Incident (sn_si) application scope. See Create a custom Security Incident Response process definition script include on page 16 for more information. If this field does not contain a valid script include name, the default ProcessDefinition_NIST_Stateful definition is used. Helpful information about the script include. Order Determines the position in the process definition list. Active When checked, it makes this process definition selectable from the Process Definition Selector page. Click Submit. Create a custom Security Incident Response process definition script include Create a custom Process Definition script for the appropriate states for your company security incidents and response tasks. Role required: sn_si.admin The sn_si.processdefinition main script include controls process definitions. Process Definition determines which definition is in use (using Process Selection). It calls the appropriate script include file to determine the initial states and transitions for both security incidents and response tasks Navigate to System Definition > Script Includes. Click New. Fill in the fields, as appropriate. Table 8: Creating process definitions Field Name Name of this script include. API Name Created based on the name of the script include. 16

17 Field Client callable Makes the script include available to client scripts, list and report filters, reference qualifiers, or, if specified, as part of the URL. Application Security Incident Accessible from Choose This application scope only. Active When checked, it makes this script include selectable from the Process Definition page. Helpful information about the script include. Script Defines the server-side script to run when called from other scripts. The script must define a single JavaScript class or a global function. The class or function name must match the Name field. For information on script contents, see Process Definition script include on page

18 4. Click Submit. Process Definition script include The Process Definition script include provides methods for defining a process definition. 18

19 Implement the constants, attributes, arrays, and method calls described here to customize a process definition script include. Where to use Use this script include to create a process definition. Script include body The script include body is composed of three sections: Constants: initial state definitions Security Incident and Response Task: process definition arrays Method calls: retrieving information Constants Constants are used to define the initial states of security incidents and response tasks. The use of constants is optional but encouraged for readability. For example: INITIAL_INCIDENT_STATE: 10, INITIAL_TASK_STATE: 1, Which are later used by the following methods: getinitialincidentstate: function() { return this.initial_incident_state; }, getinitialtaskstate: function() { return this.initial_task_state; }, The next set of constants defines the states for both security incidents and response tasks. Each array also contains the definition of which states are available when the incident or task is in a specific state. For example: TASK_STATES: [{state:1, label:"draft", choice:[1, 10]}, {state:10, label:"ready", choice:[10, 16]}, {state:16, label:"assigned", choice:[16, 18]}, {state:18, label:"work in Progress", choice:[18, 3]}, {state:3, label:"close Complete", choice:[]}, {state:7, label:"cancelled", choice:[]}, ], The example is an array of objects. Each object defines a state and possible transition states. The order of the state's object determines the desired order for the flow. When the task is in the 'Draft' state (value 1), possible states are: 1 (Draft, which is no change) and 10 (Ready, the next step in the process). 19

20 There is no limit on the number of transitions out of a state. The 'Close Complete' and 'Canceled' state are final states and therefore have no possible state transitions. The order of the attributes in the object is not important. If it makes the definition clearer, put the label first. Attributes Required attributes in a state definition object are: state: numerical value of the state label: human readable text associated with the state choice: an array of state values the state can transition to (determines the content of the state dropdown) Optional attributes are: mandatory: list of field IDs that become mandatory in this state readonly: list of field IDs that become read-only in this state visible: list of field IDs that become visible in this state notmandatory: list of field IDs that become non-mandatory in this state notvisible: list of field IDs that would no longer be visible in this state Note: If optional attributes are used, it is the author's responsibility to ensure that fields are made visible/ invisible, mandatory/non-mandatory, visible/hidden or readonly appropriately between states. For example, hiding a field in one state does not make it visible in another state later unless the 'visible' attribute is used. Process flow definition arrays To define the information displayed in the process flow formatter (the bar at the top of the Security Incident and Response task forms), the system requires information on what to display for each state. For example: TASK_PF: [{label:"draft", condition:"state=1^eq", description:"<p>security Incident Response Task is in draft</p>"}, {label:"ready", condition:"state=10^eq", description:"<p>security Incident Response Task is ready to be assigned</p>"}, {label:"assigned", condition:"state=16^eq", description:"<p>security Incident Response Task is assigned</p>"}, {label:"work in Progress", condition:"state=18^eq", description:"<p>work has started on this Security Incident Response Task</p>"}, {label:"closed", condition:"state=3^orstate=4^orstate=7^eq", description:"<p>security Incident Response Task is complete</p>"}, ], The TASK_PF array is a collection of labels, conditions, and descriptions used to determine the text displayed in the process formatter bar (including order and activity). In the example, the text 'Ready' is the second item displayed. It ishighlighted when the task satisfied the condition 'state=10^eq'. When the pointer hovers over the text, the description 'Security Incident Response Task is ready to be assigned' is displayed. 20

21 Note: States can be combined to a single formatter state. In the example, both the 'Close Complete' and the 'Canceled' states show up as 'Closed' in the top bar. Method calls The following methods must be present in the script include as they are used by sn_si.processdefinition: Return type Method summary String getinitialincidentstate: function() return the initial incident state numerical value String getinitialtaskstate: function(): return the initial task state numerical value Array of string getincidentstates: function(): return the incident state's array Array of atring gettaskstates: function(): return the task state's array Array of objects getincidentprocessflows: function(): return the incident process flow definition array Array of objects gettaskprocessflows: function(): return the task process flow definition array The next set of methods are called whenever an incident or a task is updated and allows actions to be taken on specific change transitions. Return type Method summary void performincidentstatechange: function(current, previous) In the examples, this method is used to set SM-related values and ensure that an incident advances out of 'Draft' once someone is assigned to it. void performtaskstatechange: function(current, previous) In the example, this method is used to update timestamps (on assignment and closing) and advance the task from 'Ready' to 'Assigned' once the assigned_to field is filled. The same actions performed by these two methods can be accomplished using a business rule. By defining them in the script include, switching process definitions is made easier. Security Incident Response Process Selection Process Selection determines which process definition is in use and lists processes with invalid states for security incidents and response tasks. You can choose among three process definitions provided with the base system: NIST Stateful (default), NIST Open, SANS Open; or you can create your own. For more information, see Security Incident Response process definition on page

22 An administrator can correct the incident or task to valid states either manually or by using a script. An empty related list (no incidents, no tasks) indicates that every active task is in a valid state. Available states vary based on the current state of the incident. For more information, see Correct an invalid security incident or task state on page 22. Select a Security Incident Response process definition Choose which process definition to use for the appropriate states for your company security incidents and response tasks. Role required: admin and sn_si.admin Navigate to Security Incident Response > Administration > Process Selection. Çlick the search icon to list the available process definitions Select a process definition. Click Update. Correct an invalid security incident or task state An administrator can correct the security incident or task to valid states, either manually or by using a script. Available states vary based on the current state of the incident. Role required: admin and sn_si.admin After you have switched process definitions, the new definition may not support some of the old states. To correct the orphan incident or task states, you can change your process definition, edit your script include, or manually open each incident or task to update the state. Generally, updating the state (which can be done in bulk) is the easiest solution. To change states in bulk, do the following: Navigate to Process Selection. Highlight the State field for the incidents or tasks you want to change. Double-click the first one, choose the new State, and click the green check mark ( ) to change. 22

23 4. Click Update. Create a Security Incident Response SLA You can define a Service Level Agreement (SLA) for Security Incident Response. Role required: sn_si.admin Navigate to Security Incident > Setup > SLAs. Click New. For field descriptions and detailed instructions, see Create an SLA definition. Create a security incident knowledge article Your organization can create and maintain articles in the security incident knowledge base. These articles share security information, document the types of cyber threats that your organization faces, and provide answers and responses to these threats. Benefits of the security incident knowledge base include the following. Employees have one source of information that is easy to search. 23

24 Information can be kept up-to-date, as knowledge articles have a defined life cycle: create, review and update, publish, and retire. Users are provided with a list of relevant articles when they enter a short description to create a security request, incident, or response task. Note: It is important to assign a knowledge manager to each security incident knowledge base. Role required: sn_sir.knowledge_admin Navigate to Security Incident > Catalog & Knowledge > Knowledge. Click Create New > Article. Fill in the fields on the form, as appropriate. Table 9: Knowledge form Field Number The automatically generated KB number. Knowledge base The knowledge base selected for this article. Category The category for this article. Published When this knowledge article was published. This value is set when the article is created, and updated when the article is published. Valid to When this knowledge article expires. This article will not appear in search results after this date or if a date is not selected. Image An image that appears beside the article when searching from the legacy knowledge portal. Workflow [Read-Only] The publication state of the article, such as Draft or Published. When inserting a new article from an existing article, the state of the new article is reset to Draft. Source The task this knowledge article was created in response to, if any. This field is set automatically when you create the knowledge article from a task record. Attachment link Check box for downloading an attached file automatically when a user accesses the article, instead of opening the article view. Add an attachment to the article to use this option. Display attachments Check box for displaying attachments to users viewing this knowledge article. Attachments appear below the article text. Add one or more attachments to the article to use this option. 4. Short description The title of the article. This title appears when browsing and searching knowledge, and at the top of the article. Text Content for the article. Use the WYSIWYG HTML editor to create content. A preview of the content appears when browsing and searching knowledge. Click Submit to create the article. After saving the article record, you can add tags to further organize the article. 24

25 Any additional steps required to publish the article, such as approvals, depend on the publishing workflow for the knowledge base. Security incident calculators Security incident calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated. The Security Incident Response base system includes the following security incident calculator groups and calculators. Within each group, the first calculator that matches the conditions is run. Table 10: Security incident calculators in the base system Security Incident Calculator Group Name Calculators included in group Business Criticality Aggregate from Severity Calculators This calculator delegates to the Security Criticality Calculator that determines criticality by weighing the values of other fields. Severity Business Impacted This severity calculator defines its selection criteria using a simple condition builder. If the configuration item in the security incident is associated with the Sales, Finance, or HR business units, the Severity field is elevated to 1 - High. Critical service affected This severity calculator defines its selection criteria using an advanced condition. If the configuration item in the security incident is associated with a highly critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. Critical service changes This severity calculator defines its selection criteria using an advanced condition. If the security incident meets the conditions, a script runs to define what levels the fields are elevated to. If the configuration item in the security incident is associated with a most critical or somewhat critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. 25

26 Security Incident Calculator Group Name Calculators included in group Multi-Attack Vectors This severity calculator defines its selection criteria using a simple condition builder. If the configuration item in the security incident is associated with web, , and impersonation attack vectors, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. When you create a security incident, the Risk, Impact, Priority, and Severity fields contain default values. When you save the incident, a business rule automatically validates the information in the security incident against conditions defined in each of your active severity calculators. They are validated one security calculator at a time, in the order defined by the Order field in each calculator. If information in the security incident matches the conditions defined in one of the calculators, the severity field values are updated accordingly to the rules set up in the calculator. For example, assume that you create a security incident for an affected CI, and the CI is highly critical. When the security incident is saved, the CI information is compared to the conditions defined in the severity calculators. When the security incident is validated against the Critical service affected severity calculator, the severity fields are automatically updated, and a message similar to the following appears at the top of the security incident. You can use these severity calculators as is or you can edit them to more closely meet the needs of your business. For example, if you want to identify web and threats that are specific to the Finance business unit, you can make these changes to the conditions of the Multi Attack Vectors calculator: [Attack Vector] [contains] [Web] [Attack Vector] [contains] [ ] [Business Unit] [contains] [Finance] You can also update the severity values in an existing security incident at any time by opening the record and clicking the Calculate Severity related link. Create a security incident calculator Security incident calculators allow you to calculate the severity of a security incident based on pre-defined formulas. You can define your own security incident calculators, as needed. Role required: sn_si.admin Navigate to Security Incident > Setup > Security Incident Calculator Groups. Click the name of the group for which you want to create a calculator, or you can create a new group. Click New. Fill in the fields on the form, as appropriate. Field Name The name of the security incident calculator. 26

27 Field Calculator Group Name of the group to which this calculator belongs. Note: Creating or changing the calculator group becomes available once you have entered a Name and Table. Table Select the table to be used for this calculator. When you add calculators to tables other than Vulnerability [sn_vul_vulnerability] and Vulnerable Item [sn_vul_vulnerable_item], you must add business rules and UI Actions to those tables. To see examples: Navigate to System Definition > Business Rules, and locate the Calculate Severity business rule on the Vulnerable Item [sn_vul_vulnerable_item] table. Navigate to System UI > UI Actions, and locate the Calculate Severity UI action on the Vulnerable Item [sn_vul_vulnerable_item] table. Also, the vulnerability admin role must be granted full read, write (or save_as_template) capabilities on any table used by a calculator to properly see the values to apply to the template Application The scoped application to which the calculator belongs. Order The order in which the security incident calculator runs. A calculator with an order entry of 100 runs before a calculator with an order entry of 200. Active Turn the calculator on or off. A description of this calculator. Right-click the form header and select Save. Two tabs, Conditions and Values to Apply, appear. Fill in the fields in the Conditions tab, as appropriate. Field Use filter group Select this check box to use a predefined filter group or create a new filter group to define the calculator criteria. Filter group Select the filter group to use for defining a calculator. This field appears only if you selected the Use filter groups check box. Use advanced condition Select this check box to indicate that a script condition is used to determine when this calculator is applied. When you select the check box, an Advanced condition scripting field appears. If you selected the Use filter group check box, this field is hidden. Note: Before you define advanced conditions and write scripts for determining when the security incident calculators are applied, return to the Security Incident Calculators list. Explore the calculator records shipped with the base system. 27

28 Field Condition Defines basic filter conditions for determining whether the calculator is used. If you selected either of the Use filter group or Use advanced conditions check boxes, this field is hidden. 7. Click the Values to Apply tab and fill in the fields on the form, as appropriate. You have the choice of creating a script for defining the values to apply to the calculation or defining a template based on fields in the selected table. Field Use script values Select this check box to define field values with a script. Script values Defines what values to apply the calculations to. This field appears only if you selected the Use script values check box. Template 8. Right-click the form header and select Save. Select the fields and values you want to use for the calculator. When you have completed all entries, click Submit. Create a security incident calculator group Security incident calculator groups are used to group calculators. Role required: sn_si.admin Navigate to Security Incident > Setup > Security Incident Calculator Groups. Click New. Fill in the fields on the form, as appropriate. Field Name The name of the security incident calculator. Application The application that contains this record. Order The order in which the security incident calculator is run. A calculator with an order entry of 100 runs before a calculator with an order entry of 200. A description of this calculator group. Click Submit. Security Incident Catalog The Security Incident Catalog provides a customer-facing view of available security incident products and services. This catalog allows your organizations to promote these offerings in a structured and easily navigable way. You can access the catalog by navigating to Self-Service > Security Incident Catalog. 28

29 Create a security incident catalog item Define a catalog item for the product or service that you want to make available in the security incident catalog. Role required: sn_si.admin Navigate to Security Incident > Catalog & Knowledge > Maintain Catalog Items. Click New. Enter the catalog item details (see table). Table 11: Security incident Field Name Enter the item name to appear in the catalog. Active Select the check box to activate the catalog item. Availability Define which devices display the item: Desktop and Mobile, Desktop Only, or Mobile Only. Note: Unsupported catalog item types are not displayed on mobile devices, even if Availability is set to show an item of this type. Catalogs Select the catalogs this item appears in. Category Select a category for the item. Only categories that exist within your current scope appear. For example, to see Security incident categories, you must be an admin and have Security Incident selected as your application. Workflow Select either a workflow or an execution plan (formerly named delivery plan) to define how the item request is fulfilled. If you select a workflow, the Execution Plan field is hidden. Clear the Workflow field to select an execution plan. Execution Plan Select either a workflow or an execution plan (formerly named delivery plan) to define how the item request is fulfilled. If you select a workflow, the Execution Plan field is hidden. Clear the Workflow field to select an execution plan. Icon Upload a 16x16 pixel image to appear as an icon beside the item name in the catalog. If no image is uploaded, the default icon appears beside this item. To use your own default icon, upload the image. The uploaded image overwrites the default image stored in images/service_catalog/generic_small.gif. Application Select the application that owns this catalog item. Price Set a price for the item and select the currency from the choice list. Recurring price Set a price that occurs at a regular interval. For example, a printer maintenance service can have a $ monthly recurring price. For details, see Setting Recurring Price.. Recurring price frequency Select the interval for recurring prices, such as Monthly or Annually, only if the Recurring Price field has an entry. 29

30 Field Picture Upload an image of the item. Short description Enter text that appears on the service catalog homepage, search results, and the title bar of the order form. Enter a description to display in the catalog when a user selects the item or clicks the associated Preview link. Mobile Mobile picture type Select the picture to display for the item on mobile devices. Select to Desktop: displays the standard desktop picture, Mobile: displays the image uploaded with the Mobile picture field. None: does not display a picture. Mobile picture Upload the picture to display for the item on mobile devices when Mobile picture type is set to Mobile. Hide price (mobile listings) Select this check box to hide the item price on mobile devices. 4. Click Submit [Optional] Assign the item to more catalogs and categories. Define variables for the item,, if applicable. Create a security incident response template Security incident response templates are used to create security incident catalog items that share the same information. Role required: sn_si.admin Navigate to Security Incident > Catalog & Knowledge > Security Incident Templates. Click New. Fill in the fields on the form, as appropriate. Table 12: Security incident templates form Field Request information Name Unique and descriptive name for this template. Short description Content that is copied into the Short description field of a security incident when this template is used. The exception is a security incident created from an incident, problem, or change request, which always uses the short description of the source task, even when a template is applied. More in-depth description of the purpose of the template. Checklist template An informal list of questions or tasks used as a reminder for the agent working on this task. 30

31 Field Task information The task type to be associated with the template. The task types for all installed service management applications can be selected. Name Unique and descriptive name for this task. As you start to type the description of the task, fields for your next task appear. A description of this task. Depends on The tasks that must be completed before this task can be performed. To make this selection for the first task, you must create subsequent tasks. Checklist template An informal list of questions or tasks used as a reminder for the agent working on this task. To add more fields for either the request or task sections, complete the following steps. a) Click Edit fields in the form header. An add field choice list appears in the Request information and Task information sections. b) Task type Select the field to add. If required the field is added to the form and you can add more fields. Click Submit. In the Publish Template dialog box, select a category from the Category drop-down list. Categories for the security incident catalog are defined from Service Catalog > Catalog Definitions > Maintain Categories. Click Save. Security Incident Response monitoring Security Incident Response monitoring provides high-level graphical interfaces allowing security managers to pinpoint areas of concern. Security Incident Response Overview The Security Incident Response Overview provides an executive view into security incident activity, providing trends and reports, and drill-down into specific data.. When the Security Incident Analytics plugin is activated, users with certain roles can view data of interest to the Chief Information Security Officer (CISO). The Overview module displays security incident information that is tailored to the role of the user. You can point to any part of a chart (bar, pie, data point, heatmap, and so on) to view general data specific to that part. See the following image. If you click any part of a report, a list opens to provide detailed information. 31

32 Security Incident Manager Overview Users with the Security Incident Administrator and Security Incident Manager roles view the Security Incident Manager Overview. It contains the following reports in the base system. Table 13: Security Incident Manager Overview reports Name Visual Team Critical Security Incidents Single score The number of critical security incidents assigned to the team. Team High Security Incidents Single score The number of high security incidents assigned to the team. SLAs expiring within 24 hours Single score The number of SLAs that expire within the next 24 hours. 32

33 Name Visual Risk vs Severity Heatmap The distribution of security incidents assigned to the team by risk and severity. Security Incidents by CI Class, last 3 months Bar chart The count of security incidents assigned to the team by configuration item class. Trend of All Security Incidents Trend Plots the count of the number of security incidents received by category or priority. Unauthorized Access Security Incidents Bar chart Displays the types of security incident categories received over time. Average Time to Contain Single score The average time it takes to contain all security incidents. Average Time to Contain Critical Single score The average time it takes to contain all critical security incidents. Average Time to Identity Single score The average time it takes to identify all security incidents. Security Analyst Overview Users with the Security Incident Analyst role view the Security Analyst Overview. It contains the following reports in the base system. Table 14: Security Analyst Overview reports Name Visual My Critical Priority Work Single score The number of critical security incidents assigned to me. My High Priority Work Single score The number of high security incidents assigned to me. My SLAs expiring within 24 hours Single score The number of SLAs assigned to me that expire within the next 24 hours. Security Incidents assigned to me Bar chart Security Incidents assigned to me by incident state or category. Work assigned to me by Type Bar chart Security tasks (incidents, tasks, or requests) assigned to me by type or priority. Security Incidents, Requests, Tasks assigned to me List A list of all security incidents, security requests, and tasks assigned to me. 33

34 Name Visual Security Incident Location map Regional location of the security incidents. Count map Number of security incidents per region. Min/Max Count Color Spectrum Bar The minimum and maximum numbers of security incidents per region represented by a color spectrum bar. Percentage of Count map Percentage of the total incident count per region. Security Incident CISO Overview with Security Incident Analytics activated When the Security Incident Analytics plugin is activated, users with the Security Incident CISO and System Administrator roles view the Security Incident CISO Overview. The following CISO reports are provided in the base system. Table 15: Security Incident CISO Overview reports (with Security Incident Analytics activated) Name Visual New Security Incidents This Week Single score The number of new security incidents received in the current week. Security Incidents Closed This Week Single score The number of security incidents closed in the current week. New Security Incidents (Running 7 Days) Single score The number of security incidents opened within the last 7 days. Security Incidents Closed (Running 7 Days) Single score The number of security incidents closed within the last 7 days. Daily New Security Incidents vs Closed Security Incidents Trend New and Closed security incident counts over time by day. Weekly New Security Incidents vs Closed Security Incidents Trend New and Closed security incidents over time by week. Security Incident Close Code Trend Full count of closure codes over time. Security Incident Business Criticality Treemap Business services with security incidents with available groupings by business criticality. 34

35 Name Visual Average Time to Contain (Weekly) Trend The 7-day average time it takes to contain a security incident over time. Average Time to Eradicate (Weekly) Trend The 7-day average time it takes to eradicate a security incident over time. Average Time to Identity (Weekly) Trend The 7-day average time it takes to identify a security incident over time. Security Incident Location map Regional location of the security incidents. Count map Number of security incidents per region. Min/Max Count Color Spectrum Bar The minimum and maximum numbers of security incidents per region represented by a color spectrum bar. Percentage of Count map Percentage of the total incident count per region. Security Incident CISO Overview without Security Incident Analytics activated When the Security Incident Analytics plugin is not activated, users with the Security Incident CISO and System Administrator roles view the Security Incident CISO Reporting Overview. The following CISO reports are provided in the base system. Table 16: Security Incident CISO Overview reports (without Security Incident Analytics activated) Name Visual New Security Incidents This Week Single score The number of new security incidents opened in the current week. Security Incidents Closed This Week Single score The number of security incidents closed in the current week. New Security Incidents (Running 7 Days) Single score The number of security incidents opened within the last 7 days. Security Incidents Closed (Running 7 Days) Single score The number of security incidents closed within the last 7 days. Weekly New Security Incidents Trend The new security incidents opened on a weekly basis. 35

36 Name Visual Weekly Closed Security Incidents Trend The security incidents closed on a weekly basis. Security Incident Close Codes Trend Security incident close codes over time. Business Services with Security Treemap Incidents - Business Criticality Business services with security incidents with available groupings by business criticality. Average Time to Contain Single score The average time it takes to contain all security incidents. Average Time to Contain Critical Single score The average time it takes to contain all critical security incidents. Average Time to Identity Single score The average time it takes to identify all security incidents. Security Incident Response Explorer The Security Incident Response Explorer provides a graphical view into security incident activity. It is provided with the base system. When the Security Incident Analytics plugin is activated, users can view filtered data. The Security Incident ResponseExplorer homepage displays security incident information that is tailored to the role of the user. Note: When the Security Incident Analytics plugin is activated, you can use Interactive Filters on the dashboard version to filter data. See Security Incident Response Explorer dashboard. You can point to any part of a chart (bar, pie, data point, heatmap, and so on) to view general data specific to that part. See the following image. If you click any part of a report, a list opens to provide detailed information. 36

37 37

38 Security Incident Response Explorer homepage The Security Incident Response Explorer contains the following reports. Table 17: Security Incident Response Explorer reports Name Visual Security Incidents Single score Total number of security incidents that match the areas shown. Security Incident Assignment Heatmap heatmap The number of security incidents per assignment group and priority. Security Incidents by Attack Category Bar chart The number of security incidents per attack category. Security Incident Closures by Priority Bar chart The number of security incidents closed in order of priority. Security Incident Map map Security incident data by geographical location. The world map is highlighted in every area in which an incident occurs. A map allows you to drill down to security incident information by location. Security Incident Response Explorer dashboard The Security Incident Response Explorer dashboard displays the same security incident information as the homepage. You can point to any part of a chart (bar, pie, data point, heatmap, and so on) to view general data specific to that part. Interactive filters allow you to customize your view. See the following image. If you click any part of a report, a list opens to provide detailed information. 38

39 39

40 Table 18: Security Incident Response Explorer dashboard filters Name Visual [Optional] These filters are only available when the Security Incident Analytics plugin is activated. Security Incident - Subcategory Drop down menu Provides real-time filtering on selected category. Security Incident - Subcategory Drop down menu Provides real-time filtering on selected subcategory. Priority Drop down menu Provides real-time filtering based on priority. Security Incident- Active Radio button Provides real-time filtering on active incidents. Security Incident- Criticality Check box Provides real-time filtering based on criticality. Access Security Incident Response Explorer You can access the Security Incident Response Explorer dashboard to view security incident activity in order to instantly pinpoint areas of concern and quickly resolve issues. Role required for homepage and dashboard: sn_si.admin (to write) sn_si_basic (to read) Navigate to Self-Service > Homepage or navigate to Self-Service > Dashboards. Choose Security Incident Explorer from the reports list. Security incident treemaps When the Security Incident Analytics plugin is activated, you can add the security incident - service impact and security incident - real-time treemaps to the Security Incident Response overview. After they have been added, you can configure the treemaps by modifying treemap categories and indicators. Add treemaps to the Security Incident Response overview Treemaps display hierarchical (tree-structured) data as a set of nested rectangles. Each branch of the tree is given a rectangle, which is then tiled with smaller rectangles representing subbranches. Treemaps allow you to display security incident information in a dynamic, engaging way. Role required: sn_si.admin Navigate to Security Incident > Overview. Click Add content in the top left corner of the page to open the widget selection control. In the first selection box, click Treemap. 40

41 4. In the second selection box, select the treemap you want to insert from the following list: Security Incident - Service Impact Security Incident - Real time Security Incident - Business Criticality Vulnerability Significance Note: The Business Criticality treemap appears on the Security Incident Response homepage by default. The Service Impact and Real time treemaps require that the Security Incident Analytics plugin are activated. 5. In the third selection box, select the level of granularity of information you want retrieved for the selected treemap. Note: For the Security Incident - Service Impact treemap, select Security Incident in the third selection box. This selection provides a drop-down list with multiple data categories At the bottom of the screen, click the location on the screen you want to add the gauge. Close the Add content box. Create or update a treemap category You can modify the predefined categories for the security incident treemaps or create categories as needed. Role required: sn_si.admin The treemaps use performance analytics as the data source. The Performance Analytics module requires a separate plugin. 41

42 In the base system, treemap categories such as Incident Risk, Denial of Service, and Incident Severity are included. You can modify these categories or define more categories as needed. 1. Navigate to Security Incident > Administration, and open the treemap definition you want to configure categories for: Service Criticality Reporting Definition Real-time Definition Optional: Change the treemap definition name. In the base system, the default name for the service impact treemap definition is Security Incident. The default name for the real-time treemap definition is Security Incident - Real time. Unless you are using a custom-built treemap, do not change the PA Indicator Group value. To deactivate the treemap definition, clear the Active check box. If, for example, you deactivate the Denial of Service category from the system impact dashboard, that treemap category is not available. In the Treemap Categories related list, select a category to modify or click New to create a new category. Fill in the fields. Table 19: Treemap Category form 7. Field Name The name that is displayed for the category in the Categories list above the treemap. Order The order that the category appears in the Categories list above the treemap. Treemap The name of the treemap that uses this category. Color The color displayed for this category in the treemap. Active Select to activate this category. A description of the category. Visible by all roles Select to make this category visible to all users regardless of their role. Roles If you did not select the Visible by all roles check box, select the roles able to view this category. Click Submit or Update. Create or update a treemap indicator You can modify the predefined indicators for a treemap category or create new indicators. For each indicator, you can configure its data source and specify how lists of security incidents are opened from treemaps that are viewed with the indicator. Role required: sn_si.admin The treemaps use performance analytics as the data source. The Performance Analytics module requires a separate plugin. 1. Open the treemap definition that you want to configure indicators for. 42

43 Treemap definition Action Service impact treemap Navigate to Security Incident > Administration > Service Impact Definition. Real-time treemap Navigate to Security Incident > Administration > Real-time Definition. In the Treemap Categories related list, select the category that you want to configure indicators for. In the Treemap Indicators related list, select an indicator to modify or click New to create a new indicator. Fill in the fields. Table 20: Treemap Indicator form Field Name The name that is displayed for the indicator in the Indicators list on the service impact dashboard. Short description A description that is displayed for the indicator in the Indicators list above the treemap. Result limit The maximum number of results allowed. The upper limit is 100. Result Precision The number of digits to display after the decimal point. This field is displayed for the real-time treemap definition only. Active Check box to activate this indicator. Category The category name entered on the previous screen. Direction Indicates whether the tile on the treemap is minimized or maximized. This field is displayed for the real-time treemap definition only. Unit The unit of measure to be used for the metric. This field is displayed for the real-time definition only. 5. Automatic Refresh Interval How frequently to refresh the treemap. Order The order the indicator appears in the Indicators list above the treemap. Click the Data Source Configuration tab and configure one of the following data source options for the indicator. Option Action Performance analytics Select Performance Analytics from the Data source field, then make the following entries: Indicator: The indicator used to group the PA data. Default breakdown: The default breakdown used to break the selected PA indicator into multiple parts. 43

44 Option Action Custom script Select Custom Script from the Data Source field. Then use the HTML editor to customize the script as needed. The result of running the script must be an array in order for the information to display in the treemap. Query conditions Select Query Condition from the Data Source field, and then make the following entries: Query table: The base table to be queried. Aggregate type: The type of aggregate (SUM, COUNT, AVG, MIN, MAX) to be used. Aggregate field: The field to be used by the query. Group by: The field to sort the queried data. Note: To enhance the query, click Add Filter Condition and Add "OR" Clause. 6. Click the Click Through tab, and specify how lists of security incidents are opened from the treemap. a) In the Click through URL navigation type field, select whether you want the list of security incidents to open in a new window, in the same window, or in a dialog box. b) 7. Optional: In the Click through URL script field, modify the sample script if needed. Click Submit or Update. Add vulnerability significance charts to an overview If the Vulnerability Response plugin is activated, you can add vulnerability significance definition charts and other visualizations to the Overview. Role required: sn_si.admin Navigate to the Overview page to which you want to add the vulnerability significance gauge. Click Add content in the top left corner of the page to open the widget selection control. In the three selection boxes, make the selections depending on the gauge (tree map or score report) you want to add: To add the Vulnerability Significance tree map, make these selections: To add the Vulnerability Significance score report, make these selections: Treemap Vulnerability Significance Vulnerability Significance Performance Analytics Score Services with Vulnerability Significance Click the location on the screen you want to add the gauge. Close the Add content box. 44

45 Security incident map The security incident map provides data by geographical location. The world map is highlighted in every area in which an incident occurs. When the Security Incident Analytics plugin is activated, you can add the security incident map to the Security Incident Response overview. After it has been added, you can configure the map by modifying the map filters. Add map to Security Incident Response overview You can add the map to the Security Incident Response overview to view security incident data by geographical location. A map allows you to drill down to security incident information by location. Role required: sn_si.admin Navigate to Security Incident > Overview. Click Add content in the top left corner of the page to open the widget selection control. In the first selection box, click Reports. In the second selection box, click Security Incident. In the third selection box, click Security Incident map. 45

46 46

47 6. 7. At the bottom of the screen, click the location on the screen you want to add to the report. Close the Add content box. Modify security incident map Administrators in the global domain, can modify how the security incident map handles security incidents using filters. Role required: sn_si.admin Navigate to Reports > Administration > All. Search for Security Incident map. Click Edit Report Click Add Filter Condition to add or edit filters. Click Run to see the changes applied. Click Save. Security incidents Security incidents are created in numerous ways, some manually and others automatically. You can also create response tasks, which define the actual steps to handle the security incident. If you have a security role, you can use any of the following methods to manually create security incidents. 47

48 Table 21: Methods for manually creating security incidents Method Manually created from the Self-Service Security Incident catalog You can create security incidents by selecting from categories of security threats defined in the security incident catalog. Manually created from On the Incident form in incident management, click Create Security incidents Incident to create a new security incident. Manually converted from a security request On the Security Request form, click Convert to Security Incident to create a new security incident. Manually create an incident from an alert On the Event Management Alert form, click Create Security Incident to create a new security incident. Manually created from New Security Incident Response records can be created using the Create the Security Incident New module on the navigation bar. list Manually converted from a vulnerability record (if the Vulnerability Response plugin is activated) On the Vulnerability Items form, click Create Security Incident to create a new security incident. Automatic creation of security incidents Generally, security admins are responsible for setting up alert rules used to automatically generate security incidents. Table 22: Security admin method for creating security incidents Method Automatically created using alert rules Security incidents can be created based on alert rules defined in the Event management in your data center application. Security incident manual creation You can create a security incident from the Security Incident form, as well as from several other forms. You can create security incidents based on an existing record from the following forms: From any security incident list Incident form Event Management Alert form Vulnerable Items form Security Request form 48

49 Manually create a security incident from a Security Incident form You can create a security incident from the Security Incident form, as well as from several other forms. Role required: sn_si.basic You can create security incidents based on an existing record from the following forms: Incident form Event Management Alert form Vulnerable Items form Security Request form You can also create security incidents using these methods: From any security incident list. Select a security incident from the Security Incident Catalog. Automatically create a security incident from alerts via alert rules. 1. Navigate to any security incident list (for example, Security Incident > Incidents > Unassigned Incidents), and click New. 2. Fill in the fields on the form, as appropriate. Table 23: Security incident Field Number [Read only] The security incident number. Requested by The person requesting the work to be performed. Configuration Item The server, computer, router, or other configuration item affected by the security issue. Affected user The person affected by the security issue. Location The location of the requester or resource. If a Configuration Item is not selected, this field is pre-filled with the location of the requester. Category The category that identifies the type of security issue. Subcategory The subcategory that further defines the issue. Opened [Read only] Displays the date and time the incident was opened. State The current state of the security incident. Upon security incident creation, this field defaults to Draft. Substate Identifies whether the security incident includes a pending problem or change. Source Identifies the source of the security incident, such as log monitoring, a phone call, or an incident. Business criticality Select the importance of this security incident to your business. The default value is Non-critical. If, after the security incident record has been saved, you change the value in the Priority field, or in the Impact, Severity, and/or Risk fields on the General tab, the Business criticality is recalculated. 49

50 Field Priority Select the order in which to address this security incident, based on the urgency. If this value is changed after the record is saved, it can affect the Business criticality calculation. Assignment group The group to which this security incident is assigned. Assigned to The individual assigned to perform the work. Short description A brief description of the security incident. As you type the short description, links to related articles from the knowledge base appear. Scanning the information could solve your issue Right-click in the record header and select Save. Select the following tabs and complete the information, as appropriate. Table 24: Security incident tabs Field Incident Details Read access Gives a user with the special access role read access to the security incident. The user is able to read and write work notes. See Roles installed with Security Incident Response on page 133 for more information. Note: If a user is added to both Read access and Privileged access lists, then only the Privileged access permissions persist. Watch list Click the lock icon to add users who are notified when changes to the security incident occur. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Privileged access Gives a user with the special access role read and write access to all fields of the security incident except Assigned to. Users with special access roles have their own module containing all security incidents assigned to them. No other modules are available to them. No one else can see the Visible to Me module. Note: Only an assigned user or someone with a security role (for example, sn_si_analyst or sn_si.admin) can change the Assigned to field. If a user is added to both Read access and Privileged access lists, then only the Privileged access permissions persist. 50

51 Field Work notes list Click the lock icon ( ) to add users who are notified when new work notes are added. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Enter a full description of the security incident, along with any information that can help to find the cause or resolve the issue. Additional comments Enter comments that are visible to the requesting user. Secure notes Click the lock icon to unlock the field, enter work notes that are visible to the security users, and click the icon again to lock it. Activity All task activity (actions, comments, work notes, and so on) on related records for this security incident. This field is dynamically updated as other users work on this incident or tasks related to this incident. Related Records Problem Select a Problem (PRB) record that resolves the underlying issue that caused this security incident to be created. The PRBs for this incident are typically created by right-clicking in the security incident form header and selecting Create Problem. Parent Select a task record related to the underlying issue that caused this security incident to be created. Parent security incident Select a security incident record related to the underlying issue that caused this security incident to be created. See Parent and child security incident relationships on page 57. Incident Select an Incident (INC) record that resolves the underlying issue that caused this security incident to be created. The incident is typically created by right-clicking in the security incident form header and selecting Create Incident. Change request Select a Change Request (CHG) record that resolves the underlying issue that caused this security incident to be created. The change request is typically created by right-clicking in the security incident form header and selecting Create Change. Security Incident Observables 51

52 Field Source IP Typically the IP address of a computer on which malware was detected. Note: If Threat Intelligence and Palo Alto Networks - Firewall are activated, changing or adding a value to this field causes the Palo Alto Networks - Get Log Data workflow to execute. The workflow retrieves enriched threat log data from the firewall and attaches it to the security incident. The information is also parsed and displayed in the Fire Logs section under the Enrichment Data tab. Destination IP The IP address the malware attempted to communicate with. Malware URL For phishing s, the URL that is accessed if the targeted user clicks the link. Referrer URL When the user clicks a link in a phishing , this field shows the URL of the final jump before the malware URL is accessed. Malware hash An identification (specifically, a message digest hash) of the malware program. Other IoC Other Security Incident Observables used to identify the malware. The following tabs are not available until you have saved or submitted the security incident. Enrichment Data Raw data details are stored in an attachment to the enrichment data record. If they exceed the field limit, displayed details are truncated. Security Enrichment Stores raw enrichment data from Security Incident Response Data workflows, such as retrieving network statistics or running processes. Malware Results Stores enrichment data from malware detection systems such as the Palo Alto Network enrichment workflows for Wildfire and Autofocus. Running Processes Stores the records created by the Security Incident Response Get Running Processes workflow. Network Statistics Stores the records created by the Security Incident Response Get Network Statistics workflow. Firewall Logs Stores enrichment data from firewall logs, such as the Palo Alto Network firewall logs. Threat Intelligence Associated Attack Modes/Methods If Threat Intelligence is activated, you can view any other attack types associated with any of the same threat records. Associated Indicators If Threat Intelligence is activated, you can view any other indicators associated with any of the same threat records. Associated Observables If Threat Intelligence is activated, you can view any other observables associated with any of the same threat records. 52

53 Field Resources with Similar IoC If Threat Intelligence is activated, you can view any other resources with similar indicators. Users with Similar IoC If Threat Intelligence is activated, you can view any other users with similar indicators. Vulnerability Details Vulnerability Groups If Vulnerability Response is activated, you can view vulnerability groups associated with this security incident. Vulnerability Items If Vulnerability Response is activated, you can view vulnerability items associated with this security incident. Post Incident Review Request assessments Click the lock icon to add users who participate in the post-incident review. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Post incident report The generated post incident report that is filled in when the security incident is moved to Review, Closed, or when all requested assessments are completed. This report contains: A summary of what was done Who requested it The time line All details about the security incident (type, configuration item, location, priority, and so on) All related incidents, changes, problems, and tasks The details of the resolution Responses to the post incident review assessment from all users Audit work notes Closure Information (This tab is visible when the security incident is in the Review or Closed state.) 5. Create knowledge article Select this check box to generate a knowledge article using the contents of the post incident report. Close code Select the close code that best describes the reason for closing the security incident. Close notes How the security incident has been closed, including lessons learned, resolution, and so on. Closed by [Read only] Displays the user who closed the security incident. Closed [Read only] Displays the date and time the security incident was closed. Within Related Links, you can perform the following tasks: Option View Manual Runbook View list of runbooks available for this security incident. 53

54 6. Option Response Workflow View any workflow associated with this incident. View Details in External System If this security incident was generated from an external application, directly or by events, and a link to the originating data was provided, the View Details in External System action opens the URL. You can view and search through the logs that generated this incident. Scan for Vulnerabilities If Vulnerability Response is activated, and you have selected at least one affected CI for the security incident, you can submit a scan request to determine what vulnerabilities exist on the CI. View the following features in the form header context menu: 54

55 7. Option Calculate Severity Handles the security incident severity calculations and rules for base calculators and calculator groups. If the base calculator and CI Group filter are available for evaluation, then they are processed as an AND statement. If only one is available, it is individually evaluated. Repair SLAs Repair SLA records to ensure that SLA timing and duration information is accurate. View the following Related Lists to discover or add more information about the security incident. Option Task SLAs View or add active task SLAs that were defined for the security incident. Tasks Displays tasks already defined for the security incident. You can manually create a response task or create another type of task from this related list. Configuration Items After affected CIs are identified, you can manually add affected resources from this related list. Affected Users After affected users are identified, you can manually add affected users from this related list. Groups Associated to CIs After configuration items are identified, any matching CI or Filter group are automatically added. Child Security Incidents Select a task record related to the issue that caused this security incident to be created. Similar Security Incidents View any other security incidents associated with any of the same observable records. Exchange Search The list of search criteria used, as a group, to run queries on a Microsoft Exchange Server. Security Scan Requests Scan and lookup requests attached to the security incident. Affected Services View or add business services associated with the security incident. Note: If an affected CI is added after the security incident is opened, it is a good idea to right-click in the form header and select Refresh Impacted Services. Outages View or manually add new outage records associated with the security incident. Customer Service Cases If Customer Service is activated, you can view Customer Service case information. 55

56 Option Vulnerabilities on Configuration Items [Optional] Available to add from the form header context menu under Configure > Related Lists. If Vulnerability Response is activated, you can view vulnerability information for resources, such as servers, desktops, or other CIs, affected by this security incident. Risks [Optional] Available to add from the form header context menu under Configure > Related Lists. If any of the core GRC plugins (Policy and Compliance Management, Audit, Management, or Risk Management) are activated, you can view or add risks associated with the security incident. Note: You can add Security Incident Audit Logs to Related Lists from the context header menu. 8. When you have completed your entries, click Submit. 56

57 You can make these updates to the security incident: Note: Customer Service must be activated to see and use the Create Customer Service Case feature. Note: Only someone in the security admin role can delete a security incident. 9. After you have created security incidents, you can view them using any of the following items under Security Incident: Assigned to Me > Incidents Assigned to Team > Incidents Unassigned > Incidents Note: If you have activated the QRadar Integration, you can use default workflows to enrich data in security incidents when the Configuration item field, or the Source IP or Destination IP fields on the Security Incident Observable tab are updated. Parent and child security incident relationships You can associate and track the impact of any given issue using parent and child security incident relationships in Security Incident Response. Using the Related Records tab, you can add a Parent security incident issue to any Security Incident Response form. This feature automatically makes the incident a child that appears in the Related Lists Child Security Incidents tab of the parent issue. 57

58 58

59 You can add one or more Child Security Incidents to any security incident record, as well, using the Edit button in the Child Security Incidents tab. In the following example, all three records are connected. 59

60 60

61 Note: All work notes recorded in the parent are propagated to any active children in Activities under the Incident Details tab. When a parent is closed or canceled, any active children are also closed or canceled. Any active Response Tasks on the child incident(s) are canceled. If there are no other open Tasks, the child incident is closed. When closed, the Post Incident Interview records the closure and the information found on the Closure Information tab is propagated from the parent to the children. 61

62 62

63 Security incident observable enrichment When certain applications and integrations are set up, including Threat Intelligence and the Palo Alto Networks Firewall integration, observables information in a security incident can be automatically enriched with threat log data whenever the Source IP for its observables is modified. When a modification occurs, a business rule initiates a workflow that retrieves data from threat logs on your firewall and enriches the observables information in the security incident. Before observables can be enriched, the following steps must be performed. Threat Intelligence must be activated. The Palo Alto Networks Firewall integration must be activated and configured. This can also include setting up SSH credentials to the MID Server. After that setup has been completed, the act of changing the Source IP of observables associated with a security incident causes a business rule to execute the Palo Alto Networks - Get Log Data workflow. Workflow activities queue up a search query on the firewall and return a Job ID that is used to retrieve threat logs data from the firewall and attach them as an XML file to the security incident. Manually create a security incident from the Security Incident Catalog Users in your company can use the Security Incident Catalog to request various types of security-related analysis. Role required: none 1. Navigate to Self-Service > Security Incident Catalog. 63

64 64

65 2. Click the catalog item for which you want to make a request. If the item you selected from the main catalog contains subcategories, the list is shown. In the following example, Malicious code activity was selected. 65

66 3. Click the subcategory that best matches the type of request you want to make. The catalog entry form opens. In this example, the Worm, virus, Trojan subcategory was selected. 4. Enter the information for the request, and click Submit. The request is sent to your Security Incident department. After you have submitted the request, you can track its progress by navigating to Self-Service > My Requests, and entering the request number

67 Manually create a security incident from an Event Management alert When Event Management is activated, you can manually create security incidents from the Alert form. The Event Management plugin (com.glideapp.itom.snac) requires a separate subscription and must be activated by personnel. This plugin includes demo data and activates related plugins if they are not already active. The Service Analytics plugin (com.snc.sa.analytics) is activated automatically when Event Management is activated. Role required: evt_mgmt_admin, evt_mgmt_operator, or evt_mgmt_user Navigate to Event Management > All Alerts. Click the alert Number. Click Create Security incident. Click Update. Security incident automatic creation Third-party monitoring tools, such as Splunk, can be integrated with Security Incident Response so that security events imported from those tools automatically generate security incidents. You can also import data from third-party tools into security alerts. To integrate alert monitoring tools to Security Incident Response, you must use the REST API to write to the Security Incident Import [sn_si_incident.import] table. Then, using the Security Incident Transform transform maps, the import set source table is mapped to fields in the target Security Incident [sn_si.incident] table. If you attempt to import CI records that are not recognized by the transform map, the transform map script checks the record for the following (in this order) in an attempt to make a match: sys_id CI name fully qualified domain name IP address Note: If you find that the Security Incident Transform transform map is not adequate for the third-party alert monitoring tool you are using, duplicate the transform map, create a new one, and edit the fields, as needed. Security incidents created from events and alerts As events are imported from alert monitoring tools, they are first processed by Event Management and grouped into alerts. These alerts can be used to create security incidents based on customizable alert rules, or manually reviewed to select those alerts to be investigated as a security incident. You can find a sample alert rule called Create security incidents from critical alerts in the Alert Rules module of the Event Management application. This alert rule automatically creates security incidents when critical security-related events are received from within or from third-party monitoring applications. After the security incident has been created, it will be updated as new events are received. You can modify the task template in the alert rule to change the initial values for the security incident created by this alert rule. To handle each distinct variety of security incident that you would like to create, you can define other alert rules with different conditions. Alternatively, if you are a user with the Security Admin role, you can manually create a security incident by clicking the Create Security Incident button from any suspicious alert. It is important that the events received from external tools include the following information: 67

68 The node set to the name, IP address, or sys_id of the CI that becomes the affected resource. The event classification is set to Security to distinguish them from other IT events. The event description, which populates the description of the security incident. The additional information can include any extra information that does not fit into the previously listed fields or other event fields, such as the category, attack vectors, return URL, or correlation ID. The format is a string that lists field names along with their values, using the following JSON format: { "fieldname" : "fieldvalue", "fieldname" : "fieldvalue" } Note: For each field and value pair, if the field in the security incident where the column name matches the fieldname is empty, it is set to the fieldvalue. If the field in the security incident is not empty, it is not changed. In either case, the event and all the fields and values encoded in the additional information are recorded in a work notes entry describing the event. If nothing changes in the security incident, a work note entry is not created. Any fields in a security incident, including custom fields you add to the table, can be set. Data imported into security alerts When an event is created with more JSON-encoded data, that data is imported into any field with a name that matches the fieldname of that value in the JSON data. If you have data in your third-party monitoring software (for example, Splunk) that is not common to the base system, you can add new fields to the Alert table to accommodate the data import. The JSON format for importing data into alerts is the same format used for creating security incidents from events and alerts: { "fieldname" : "fieldvalue", "fieldname" : "fieldvalue" } The only difference is that the data in the field is always overwritten with the fieldvalue. When the security event data is imported, it populates the fields in the Alert table with matching field names. If the alert is later turned into a security incident, the same additional information data populates matching fields in the security incident. View related events and alerts in security incidents As a security incident is being worked on, you can view the details of the events. For alerts, you can view and acknowledge these alerts, and create incidents or security incidents from them as needed. You must have the Security Incident Response Event Management support plugin activated. Role required: si.sn_agent Navigate to any security incident list (for example, Security Incident > Incidents > Unassigned Incidents). If the resources affected by the security incident you are viewing have received alerts or events within the previous 24 hours, one or both of the following related lists appear. 3. Security Incident CI Alerts Security Incident CI Events Click the related list you want to view. Related list Security Incident CI Alerts You can view details for alerts received within the previous 24 hours. You have the option of clicking Acknowledge to indicate that you are aware of the alert and it is being handled. Use Close to indicate that the alert is not important. 68

69 Related list Security Incident CI Events You can view details for event received within the previous 24 hours. Security incident analysis After you have created security incidents using manual methods or automatically from events, there are numerous ways you can analyze the data to determine whether the intrusion is malicious. Create response tasks After a security incident has been created, you can create response tasks to track separate actions to be performed to respond to the security issue. Role required: sn_si.basic 1. Navigate to the appropriate location to open the security incident for which you want to create tasks. For example: To create a response task based on a security incident assigned to you, select Security Incident > Incidents > Assigned to Me. To create a response task based on a security incident assigned to your team, select Security Incident > Incidents > Assigned to Team > Incidents. To create a response task based on an unassigned security incident, select Security Incident > Incidents > Unassigned Incidents. Open the security incident for which you want to add response tasks. Click the Add Response Task button in the form header. Note: To create any other task, click the Tasks tab in the Related List in the incident. For more information on creating other types of tasks, see Create a task. 4. Fill in the fields on the form, as appropriate. Table 25: Security incident Field Number [Read only] The automatically generated Security Incident Response number. Parent [Read only] The number of the related security incident. Configuration Item The configuration item (resource) affected by the security issue. Affected User The person affected by the security issue. Priority Select the priority used to determine when this task is performed. State The current state of the security response task. Upon task creation, this field defaults to Draft. Skills Click the lock icon and select the skill required to perform this task. After you have completed your selections, click the lock icon again. Assignment group The assignment group from which the assigned worker is selected. Assigned to The individual assigned to perform the task. 69

70 5. Field Short description A description of the Security Incident Response task. Enter a description for the selected task. Secure notes Enter work notes that are encrypted and not visible to the customer. Work notes Enter work notes that are not visible to the customer. Additional comments Enter any comments that you want to be visible to the customer. When you have completed your entries, click Submit. Note: After you have created Security Incident Response tasks, you can view them using any of the following applications under the Response Tasks module: Assigned to Me. Assigned to Team. Show Open Tasks Show All Tasks Unassigned Tasks. Record creation from security incidents After you have created and saved a security incident, you can create a change request (CHG), incident (INC), or problem (PRB) record from it. You can also create a customer service case from any security incident. Create a change, incident, or problem from a security incident After you have created and saved a security incident, you can create a change request (CHG), incident (INC), or problem (PRB) record from it. Role required: sn.si_basic or higher 1. Open a security incident using one of these methods. 2. Open an exiting security incident by navigating to Security Incident > Unassigned > Incidents, and clicking a security incident. Create a security incident by navigating to Security Incident > Unassigned > Incidents, click New, fill out the form, and save the record. Right-click in the security incident header bar and click one of the following: Create Change Create Incident Create Problem Note: This choice applies only if the popup property (sn_vul.popup) is enabled. When you click one of these buttons, a preview window opens to show you the information from the security incident that is used to create the change, incident, or problem. That is, the configuration item, its location, its priority, and the short and long descriptions. If you are creating a Change Request or Problem, you can edit the Priority, Short description, and fields. If you are creating an Incident, you can edit the Impact, Urgency, Short description and fields. The fields in the associated security incident screen are not affected. 70

71 3. Click Submit to create the change, incident, or problem. Create a Customer Service case from a security incident Security Incident Response ships with a default field mapping that maps a Security Incident to a Customer Service (CS) case. You can create a CS case from any security incident, edit the Priority, and also add Optional notes. Role required: sn_si.basic and sn_customerservice_agent Note: The Customer Service plugin must be activated to perform this task Navigate to Security Incident. Open the security incident that you want to add a CS case to. Click Create Customer Service Case in the top header. 4. The popup is pre-populated with information from the security incident based on your field mapping. You can select a new Priority and add any Optional notes. Note: The Priority field overwrites the default setting. The Optional notes are appended to the incident. 71

72 5. Click Submit. A CS is created. Click the link to follow up. Note: Optionally, you can add a CS case to the Related List on a security incident. 72

73 View Security Incident to Customer Service mapping Security Incident Response ships with a default field mapping that maps a Security Incident to a Customer Service case. You can view the the security incident to CS case default map. Role required: sec_cmn.read Navigate to > Field Mapping. Click Security Incident to CS Case Field Mapping to view the default map. Security Incident Response runbook The Security Incident Response Runbook creates a runbook from existing knowledge base articles. 73

74 If you do not have any articles, you can create them. Runbooks give you access to procedures related to tasks you are working on. These procedures ensure that you are following the appropriate processes according to your company guidelines. View the runbooks from either security incidents or response tasks. Create a runbook Runbooks are based on existing knowledge base articles. Role required: sn.si.knowledge_admin There must be existing knowledge base articles in the Security Incident Response Runbook knowledge base. When you create them, be sure to select Security Incident Response Runbook in the Knowledge base field. After you create and published an article, a Create Runbook button brings you to this task Navigate to Security Incident > Manual Runbook > Create New Runbook. Fill in the fields, as appropriate. Table 26: Creating a runbook Field Knowledge article Select a knowledge article to include in the runbook. Active Check the box to make the runbook available from the Filter Navigator. Use filter group Select this check box to use a predefined filter group or create a new filter group to define the runbook criteria. Filter group Select the filter group to use for defining a runbook. This field appears only if the Use filter groups check box is selected. Table Select either Security Incident [sn_si_incident] or Security Incident Response Task [sn_si_task]. If you selected the Use filter group check box and selected a filter group, this field defaults to the table associated with the selected filter group. Condition Set the conditions that connect this runbook to the incident or task. If you selected the Use filter group check box and selected a filter group, the Condition fields are not displayed Right-click the form header and select Save. The Knowledge Article Details tab and a series of buttons appear. To view the details of the runbook, click the Knowledge Base Details tab. 74

75 5. 6. To see the knowledge base article as it would appear to the user, click View Article. To edit the details of the knowldge base article, click Edit Article. 75

76 View a runbook Runbooks give you access to procedures related to tasks you are working on. Role required: sn.si.knowledge_admin Navigate to Security Incident > Manual Runbook > View Runbook Documents. Select a runbook from the list. 3. To create a runbook, click New. See Create a runbook for instructions. Escalate a security incident If an escalation path exists for a security incident, the Escalate button is available in the security incident header. Role required: sn_si.admin You must have an escalation group created to see this button. See Create a userdefined escalation group on page 419 for more information Navigate to Security Incident > Show Open Incidents. Open the incident you want to escalate. Click on the Escalate button. 76

77 4. 5. Choose an escalation group. Enter a reason for the escalation. 6. Click Submit. Updates Assignment Group and Assigned to on the security incident. Identify all configuration items affected by a security incident If you know which resource (server, desktop or other configuration item) is behind a security incident and want to identify related resources and business services that can be affected, you can use the Business Service Management (BSM) map. Role required: admin or sn_si.admin The BSM map displays the upstream and downstream dependencies for a selected root CI. There are two methods you can use to view the BSM map for a CI: If you want to view CIs from the context of a task, view from the security incident form. 77

78 1. If you do not want to view CIs from a task viewpoint, view from the navigation bar. From the Security Incident form, populate the Configuration item field, and click the BSM map icon ( ). The BSM map screen displays the map for the last incident you accessed in Incident Management or the last security incident you accessed in Security Incident Management. 78

79 2. Click the icons next to a configuration item to view different kinds of details about the resource (server, desktop, or other CI). For example, click the alert icon ( ) to view alerts associated with the CI. 79

80 Note: To view a list of all the available icons, click Filters above the BSM map and expand Filter Task Types To arrange the map in different configurations, select any of the formats listed above the map (Vertical, Horizontal, Radial), or click Filters to filter the map for easier viewing. If you opened the BSM map from the security incident form, you can add a dependent CI to the security incident by right-clicking the CI and selecting Add Affected CIs. You can also add multiple CIs at a time. Drag a box around the CIs you want to add, right-click the box, and select Add Affected CIs. The CIs are added to the Affected CIs related list of the security incident. Assign security analysts Depending on your settings in the Security Incident Administration configuration screen, you can assign analysts manually or using auto-assignment. If you have a limited number of security analysts for completing requests or you simply do not want to autoassign security analysts, you can use manual assignment. Auto-assignment allows you to define criteria by which security analysts can be automatically assigned to security incidents and response tasks as they are created. Based on the needs of your organization, you can configure the criteria for security analyst auto-assignment in the following ways. When auto-assignment is enabled and a security incident or response task is created, the following actions occur: Available security analysts are evaluated based on the criteria defined in the configuration. An appropriate security analyst is automatically assigned to the task. The task is moved to the Assigned state. If the configuration is set up to consider more than one set of criteria, such as location and skills, the security analysts are evaluated based on the weighting property settings in addition to other criteria. If the task cannot be auto-assigned, it can be manually assigned. Manually assign agents to active security incidents Use this procedure to assign agents to active security incidents Navigate to Security Incident > Incidents > Unassigned Incidentsfor a list of security incidents that no one is assigned to. Open the security incident you want to assign. Click the reference lookup icon beside the Assignment group field. Select the group that handles this kind of security incident. If no groups are available, leave this field blank. You do not have to select an assignment group, but doing so limits the number of users you can assign the request to. Click the reference lookup icon beside Assigned to. Select the agent to handle the security incident. If one was selected, the users available in this field are limited to the users who are in the Assignment group. Click Update. If notifications are on for that agent, an notification is automatically sent to the assigned agent. 80

81 Agent auto-assignment using rating-based criteria Rating-based methods, such as location, skills, and time zones, help you auto-assign agents based on configuration settings and optional properties. The calculated ratings are used to determine the best agent for the security incident or response task. Any combination of rating-based methods can be enabled in the application configuration screen. When a task is created, a rating for each type of enabled selection criteria is calculated for each available agent. The agent whose total rating is highest is considered for auto-assignment. The settings for the auto-assignment weighting properties, found in Security Incident > Administration > Properties, are included in the rating calculations. These values help you prioritize which auto-assignment selection criteria is more important to your organization. Set the priority values between 1 (less important) and 10 (important). For an example of how the weighting properties affect agent ratings, see Agent auto-assignment using multiple selection criteria on page 83. Agent auto-assignment using location Agents can be auto-assigned based on the home location in their user record and the location of the tasks. Auto-assignment by location is performed when the Auto-selection of agents will consider location of agents configuration option is enabled. When a task (security incident or response task) is created, the agent closest to the task location is considered for the task. If the application is configured so that only location is considered, the closest agent is auto-assigned the task. When a task is created, agent locations are compared to the following ranges to determine each agent location rating. Table 27: Location rating calculation Distance (mi.) from agent to task Rating 0 to to to to to to to to >100 0 If the application is configured to use other selection criteria, such as skills, time zone, or schedule, the ratings of all selection criteria are weighted and summed up. The agent with the highest overall rating is auto-assigned for the task. See Agent auto-assignment using multiple selection criteria on page 83 for details. Agent auto-assignment using skills Agents can be auto-assigned based on their skills and the skills required to perform the task. Assign skills to their user records using Skills > Users. 81

82 Auto-assignment by skills can be performed when the Auto-selection of agents for tasks requires them to have skills configuration option is set to all or some. When a task that includes skills is auto-assigned, an agent's skills are compared with the skills required to perform the task. A rating is calculated based on the skills configuration option. If the option is set to some, the agent with the closest skills match is auto-assigned the task. If the option is set to all, only agents who possess all the required skills are considered. If no agents possess all the skills required to perform the task, no one is auto-assigned. A skills rating is calculated as: Skills_agent/Skills_task Where: Skills_agent is the number of skills possessed by the agent that match the skills required for the task. Skills_task is the total number of skills required for the task. For example, if a task requires four skills, and Agent A possesses three of them and Agent B possesses two of them: Agent A skill rating = 3/4 or 0.75 Agent B skill rating = 2/4 or 0.5 If the application is configured to use other selection criteria, such as location or time zone, the ratings of all selection criteria are weighted and summed up. The agent with the highest overall rating is selected for the task. See Agent auto-assignment using multiple selection criteria on page 83 for details. Agent auto-assignment using time zones Agents can be auto-assigned based on the time zone defined in their user records and the time zone of the tasks. If the Auto-selection of agents will consider time zone for the task configuration option is enabled, auto-assignment by time zone can be performed. When a task is created, agents in the time zone closest to the task time zone are considered for the task. If the application is configured so that only time zone is considered, only an agent in the same time zone can be auto-assigned the task. Note: It is important that the time zones for the agent and the task set correctly. When a task is created, agents are rated based on the time zone of the task and the time zone of the agent using the following formula: 1 - [abs(task_tz Agent_tz) 12] where: abs is the mathematical function to compute the absolute value. Task_tz is the offset between the time zone of the task and GMT. Agent_tz is the offset between the time zone of the agent and GMT. For example, a task is created in New York City (GMT-4), and two agents are available to perform the task, one in Los Angeles (GMT-7) and one in Paris, France (GMT+1). The rating of the agent in Los Angeles is calculated as: 1 - abs((-4) - (-7)) 12 or 0.75 The rating of the agent in Paris is calculated as: 1 - abs((-4) - (+1)) 12 or

83 So if the auto-assignment of the task is based on the time zone alone, it is assigned to the agent from Los Angeles. If the application is configured to use other selection criteria, such as skills or location, the ratings of all selection criteria are weighted and summed. The agent with the highest overall rating is selected for the task. See Agent auto-assignment using multiple selection criteria on page 83 for details. Agent auto-assignment using multiple selection criteria At its simplest, auto-assignment involves identifying a set of selection criteria and automatically assigning the task to the agent who most closely meets the criteria. You can, however, select multiple sets of criteria. When a task is created, the following evaluations are performed: 1. The agents ratings are calculated. For more information on how the ratings are calculated, see: Agent auto-assignment using location on page 81 Agent auto-assignment using skills on page 81 Agent auto-assignment using time zones on page 82 Auto-assignment is based on the following calculation: (Criteria_1 rating x Criteria_1 weight) + (Criteria_2 rating x Criteria_2 weight) + (Criteria_3 rating x Criteria_3 weight) / Number of criteria types used where: Number of criteria types used = 1, 2, or 3 depending on the location, skill, and time zone settings used. This example calculates agent auto-assignment based on location and skills. The example is based on the following assumptions. The Auto-selection of agents will consider location of agents configuration option is enabled for the application. The Auto-selection of agents requires them to have some of the required skills for the task configuration option is enabled for the application. The Skills Weight property is set to 10 for the application. The Location Weight property is set to 5 for the application. Agents A and B are available to perform a task, and the task requires four specific skills. Agent A location is 5 miles from the site of the task and possesses three of the four required skills. Agent B' location is one-quarter mile from the site, and possesses two of the required skills. Auto-assignment for the agents uses this calculation: [(Location rating x Location weight) + (Skills rating x Skills weight)]/ 2 The auto-assignment calculation for Agent A is: [(0.7 x 0.5) + (0.75 x 1)]/ 2 = 0.55 The auto-assignment calculation for Agent B is: [(0.9 x 0.5) + (0.5 x 1)]/ 2 = In this example, Agent A is auto-assigned the task. Search for and delete phishing s on an Exchange server Deleting phishing s can help reduce exposure to a specific attack across an organization. You can manage phishing s on an Exchange Server by searching, granting approvals, and deleting. Role required: sn_si.basic You can determine how many users were targeted by a phishing attack by querying an Exchange Server record associated with a security incident. Supported software: Microsoft Exchange Server

84 This feature is used by workflows to run a query against an Exchange Server. The search identifies all s within a phishing attack, and returns the total number of s affected or details from the s affected Navigate to Security Incident > Show Open Incidents. Choose a security incident. Choose Exchange Search from the Related List Click New or Edit. Fill in the fields, as appropriate. Table 28: Create Exchange search group Field Name Name of the search query Describe what the search query is looking for. 84

85 Field Query result Governs which results are returned and which workflows are triggered by the buttons on the form. Choices are: Query from criteria 6. Click Submit. The Exchange Search Criteria Related List appears. 7. Click New. Return count Returns the total number of phishing s discovered in the Exchange Server. Return details Returns details on each phishing discovered on the Exchange Server such as date received, read status, recipient, and message ID. A preview of the query run on the Exchange Server. Generated from all the associated active search criteria records. 85

86 8. Fill in or edit the fields, as appropriate. Table 29: Creating Exchange Search Criteria Field Operator Possible values are AND and OR. You can define how search criteria are combined to run in the Exchange Server. Search Field Field to search in the Exchange Server. The search field has the following choices: Subject String type. Searches for s that contain this text string in the subject line. From Full address, for example, Note: Cannot use with Recipient in the same query. Recipient Full address for example, It also searches for s in the To:, Cc:, and Bcc: fields. Note: Cannot use with From in the same query. Body String type. Searches for s that contain this text string within the body. Cc: Full address, for example, Bcc: Full address for example, Attachment String type. Searches for s that contain the text string as an attachment file name or contains the text string in the attachment contents. Only plain text attachments are supported for searching the attachment contents. Retention Policy String type. Search Text The text to search for. Single quotation marks, double quotation marks, and colons are not supported. Exchange Search Reference to the Exchange search group that the criteria applies to. 86

87 9. Field Order The order in which the search query is built from the search criteria. Click Submit. 10. Once you have created a search criteria record, both the Delete from Exchange and Query Exchange buttons appear on the Exchange Search form and in the header context menu ( Clicking either of these buttons triggers the workflow associated with them. ). Note: When the Query result is set to Return Count: Delete from Exchange triggers the Security Incident Response -Search and Delete Threat s workflow. Query Exchange triggers the Security Incident Response - Return Total s Found in Exchange workflow on page 119. Note: When the Query result is set to Return Details: Delete from Exchange triggers the Security Incident Response - Get Threat Details and Delete workflow on page 109. Query Exchange triggers the Security Incident Response - Return Details from Exchange workflow on page 114. In either deletion case, you are asked to confirm your action. The default is No. Choose Yes. Click Submit. 87

88 Close security incidents When a security incident has transitioned to the Review state, it is possible to close it and enter an appropriate code. can be searched on later for ease of location. Role required: sn_si.write Note: In previous versions of Security Incident Response, users could close security incidents or requests as spam. In the release, the spam option is no longer available. Spam security incidents or requests can be canceled or deleted, as appropriate. 1. If the security incident you want to close is not already open, navigate to Security Incident > Incidents > Show All Incidents, and locate the security incident you want to close. Note: If there are any post incident review assessments that have not been completed for this security incident, the security incident cannot be closed. Return to Security Incident > Post Incident Review > All Incomplete Reviews, locate the reviews that are incomplete, and either ask the reviewers to complete their reviews or cancel the remaining assessments. 2. Click the Closure Information tab and fill in the fields, as appropriate. Table 30: Security incident Field Create knowledge article Select this field to automatically create a draft knowledge base article that contains the contents of the post incident review. Close code Select the close code that best describes the reason you are closing this security incident Investigation completed Threat mitigated Patched vulnerability Invalid vulnerability Not resolved False positive Closed by Displays the user who closed the security incident after the record is updated. Closed Displays the date and time of closure after the record is updated. Close notes Enter any additional notes that describe the outcome of closing this security incident. Click Update. The assigned user can manually change the State to Closed. When a parent incident is closed, all response tasks belonging to the child incident are canceled. If there are no other types of tasks, the child incident is also closed. Inbound security requests You can use inbound security requests for low impact security demands, such as requesting a new badge. However, you can open a security incident when a breach occurs. 88

89 After you have created security requests, you can view them using any of the applications under Security Incident > Inbound Requests: You can also view security requests you created under Self-Service > My requests. Create an inbound request Unlike security incidents, inbound requests are generally of a lower priority. Requests for a lookup, scan, or a new badge are examples of inbound requests. Roles required: sn_si.basic role or higher Navigate to one of the Requests forms. For example, Security Incident > Inbound Requests > Assigned to Me, and click New. Fill in the fields on the form, as appropriate. Table 31: Security request Field Number [Read only] The automatically generated security request number. Company The requester company. Location The CI location, if applicable. This field is pre-filled when the CI is selected. Configuration Item The configuration item affected by the request. Priority The priority of the request. Opened [Read only] The date and time that the request was opened. State The current state of the security request. Upon security request creation, this field defaults to Draft. Assignment group The assignment group from which the assigned worker is selected. Assigned to The individual assigned to perform the work. Short description A brief description of the security request, which is visible to the requester. The full description of the request, which is visible to the requester. Work notes Work notes, which are visible to the requester. When you have completed your entries, click Submit. If you must escalate the request to a security incident, click Convert to Security Incident. Lookups and scans You can perform lookups and vulnerability scans from security incidents and from the security incident catalog to identify potential threats and vulnerabilities. 89

90 Submit an IoC Lookup request from the Security Incident Catalog If the Security Incident Response plugin is activated, you can submit threat lookups for files, hash values, URLs, and IP addresses from the Security Incident Catalog. The requests are submitted and you can view the results in the My Requests module. Role required: none Lookups are automatically performed for the default lookup type for each lookup source listed in the lookup record. The results of the lookup request are available in the My Requests module Navigate to Self-Service > Security Incident Catalog. Click IoC Lookup. Click Lookup files, hash values, URLs or IP addresses. Enter one or more of the following: Table 32: IoC Lookup request Item to lookup Files Click the paperclip icon, then locate and attach the files you want to lookup. Note: By default, the Lookup Type for File is inactive. Files are converted and submitted as a hash value. URLs In the URLs field, enter the URLs you want to lookup, separated by commas. For example: IP addresses In the IP addresses field, enter the IP addresses you want to lookup, separated by commas. Hash values In the Hash values field, enter the hash values you want to lookup, separated by commas. Note: When the Lookup Type for File is inactive, this value is the default action for both File and Hash values When you have made your selections, click Submit. To view the status and/or results of the lookups, navigate to Self-Service > My Requests. Click the SR number for the request. The work notes under Activity list the tasks performed during the lookup, including the creation of individual lookups for each file, hash value, URL, or IP address, and the lookup results. Submit a vulnerability scan request from a security incident If your security incident has one or more configuration items (servers, computers, and so on), they can be scanned for vulnerabilities from the Security Incident Response form. The Vulnerability Response plugin must be activated. Role required: sn_si.write 1. Create a new security incident and include at least one resource. You can also open an existing incident that has configuration items. 90

91 2. When you have completed your entries on the form, right-click the form header and click Save. After the record has been saved, a Scan for Vulnerabilities related link appears. Note: If the Scan for Vulnerabilities related list is not shown, you must navigate to Vulnerability > Scanners, set up at least one scanner, and set its default to true. For more information, see Add a third-party vulnerability scanner on page Click Scan for Vulnerabilities. Note: A message appears at the top of the security incident form, along with a link to the scan record. 4. You can click the scan request number to view the scan record. The incident details show the results of the scan in the Security Scan Request record. Post incident review Based on the requirements of your business, a review of the origins and handling of security incidents is often needed. The Post Incident Review functionality in provides many tools for automating, tracking, auditing, and simplifying this process. These tools include: Dynamic post incident questionnaires for collecting pertinent information about the incident A post incident report including an audit trail, if one was created Drafts of knowledge base articles from an incident. Post Incident Review workflow After the security incident has been resolved and is moved to the Review state, all users in the Request assessments field will be assigned a dynamic post incident questionnaire. The questionnaire can be a helpful tool for gathering information about the handling of the security incident from various sources. During the review, you can add more users to the list or remove existing users from the list, unless they have already started filling out the questionnaire. If you add new users to the list, they receive the questions when the record is saved. The security incident cannot be closed until all questionnaires have been completed. As questionnaires are completed by each user, the post incident report is automatically generated (and regenerated) and displayed on the Post Incident Review tab. But if you would rather gather the information yourself, empty the Request assessments field. The post incident report is generated and displayed on the Post Incident Review tab. 91

92 Post incident report The final product of the post incident review is the post incident report. When closing the security incident, a PDF of the report is created and attached to the incident. The post incident report documents the actions performed, by whom, and the reasons for doing them. The post incident report compiles all the information related to the security incident, as well as all assessment responses, into a concise record of the security incident lifecycle. Even if a questionnaire was not used, the post incident report provides valuable data, including: Initial incidents that caused the security incident Change requests, problems, and vulnerabilities created or linked to the security incident s on the security incident Activity logs with all work notes, response tasks, and activities [Optional] Audit log The following table describes the components of the security incident report and identifies where the information originated. Table 33: Security incident report The Summary section above identifies the security incident number, as well as other summary information. This information comes from the Short description and Assigned to fields in the security incident. 92

93 The Incident Team section identifies the individuals who were assigned to and/or updated the security incident, along with their titles or departments. 93

94 94

95 The Timeline section lists, in chronological order, all events recorded for the security incident, from creation (in this example, it was created from an Incident) to the review state. All subtasks created in the resolution of the issue are also listed. If an activity created an audit log, then work notes from that activity are included. This information comes directly from the security incident work notes entered in the Activities tab. 95

96 96

97 The Findings section lists the questions sent out, along with answers from each user. Some data can be generated from fields in the security incident, or from scripts gathering data from related records, such as the list of affected business services. If questionnaires were sent out during the post incident review, the post incident report is regenerated and assessment data in this section is recalculated. The Resolution section describes how the issue was resolved. It lists the vulnerability records that were referenced, and identifies the change or problem created during the handling of this security incident. It also includes the Close code and Close notes fields under the security incident Closure Information tab. Note: If there are any post incident review assessments that have not been completed for the security incident, the security incident cannot be closed, and therefore, the Resolution section will not include closure information. Perform a questionnaire-based post incident review You can decide that a review of the security incident is warranted. It describes what happened, helps to determine why the incident occurred, and identifies how it can be avoided or handled in the future. Role required: sn_si.admin, sn_si.manager, sn_si.analyst Note: Any user can participate in a post incident review questionnaire, regardless of role. 97

98 A post incident review automates the collection of information from everyone involved with a given security incident. As each user completes the questionnaire, the post incident report is automatically generated. The report compiles all the information related to the security incident, as well as all responses to the post incident review Create a security incident, or open an existing one by navigating to Security Incident > Incidents > Assigned to Me (or Assigned to Team or Unassigned Incidents). Click the Post Incident Review tab, and fill in the fields, as appropriate. Field Request assessments The reviewer list defaults to the individual in the Assigned to field, but you can click the lock icon to add other users to the review list. After the field is unlocked, options are available for adding or removing multiple users or entering user addresses. When you have completed your entries, click the lock icon to lock the field. Click Update. When the incident goes into the Review state (or immediately, if it is already in Review), each of the users in the review list receives an initial notification. Reminders are sent as the due date nears. When each user accesses the questionnaire from the link or by going to Post Incident Review > My Pending Reviews, the questions shown are drawn from all categories that fit this security incident. If new users are added to the review list before the due date is reached, they are sent notifications when the security incident is saved. As users complete their questionnaires, the post incident report compiles the data and displays the report in the Post Incident Review tab. The questionnaire data is displayed in the Findings tab. Post incident review questionnaires If you decide to use a questionnaire as part of a post incident review, a list of questions, relevant to the security incident, is sent to a user-defined list of users. Their responses are automatically formatted into a post incident report. While an initial list of questions is provided with the base system, they are customizable. You can create categories and add new questions to them, or you can change individual questions within existing categories. You can also define when certain questions are asked. There can be questions you ask only for your Unix servers for example, or only when there is criminal activity. You can define questions that are asked depending on the answer to another question or on the value in a field on the form. There can even be questions that are filled in entirely by querying the database. Create post incident review questionnaire categories You can use the questionnaire categories that come with the base system or create your own categories. Role required: sn.si_admin To create a new category of questions: Navigate to Security Incident > Post Incident Review. Click Review Questions. A list of categories is displayed, along with their order and filters that define under what conditions the questions are asked (for example, only when the security incident category is Criminal activity). Each category is a section in the post incident review questionnaire and the questions in each category are included only when the security incident matches the Condition filter. For example, for a category of questions applying only to Linux servers, you would set up a filter that selected security incidents where the affected resource type was Linux Server. In that category, you would then create all questions needed when a security incident was on a Linux Server. You use one of the categories 98

99 3. 4. supplied in the base system or create a new category. This procedure assumes that you want to create a new category before defining questions. Click New in the list of categories. Fill in the fields on the form, as appropriate. Table 34: Security incident Field Name Name for the category that appears on the security incident questionnaire. Type Post Incident Review is the default. Create Stakeholders Unused by Security Incident Response. Table This field is autoassigned once the form is submitted. Filter Enter the condition that determines when questions in this category are used. If a security incident record matches this filter, the questions is included in a post incident review for that security incident. Filters can use any data on the record, or on other records linked to this record. For example, the department of the requesting user s manager. 5. Application Scope application for the incident. Weight Numeric value that represents the importance of this metric relative to other metrics in the same category. By default, the weight is 10. Total Metrics Number of metrics used by the category. of the questionnaire. Click Submit to save the category. Compose post incident review questions You can use the questions that come with the base system or create your own questions. Role required: sn.si_admin The methods for gathering post incident review information can be in the form of questions or as data automatically collected using scripts. Questions can depend on the answers to other questions. For example, you might ask if all necessary logs were available. If the answer is No, you ask a follow-up question to ascertain which of the needed logs were not enabled. Scripted data collection, also called script metrics, gather data related to the security incident via scripts you write. This action can go well beyond the data in the security incident record itself. For example, a script metric could gather the recent outage time for a server affected by this security incident. Finally, you can mix the two types. Questions can have default values taken from a script, or simply from a field in the security incident record. When you use a Default Answer from type of question, you can choose if you want the user to always answer the question with the default value providing them an initial value or if you want the user to only be asked the question if the script or field comes up empty. 99

100 To create a new question: Navigate to Security Incident > Post Incident Review. Click the category for which you want to create a new question. Click the Assessment Metrics tab. Click New. You can also click an existing question to modify it. Fill in the fields on the form, as appropriate. Table 35: Metric form Field Name Name of the metric (question or script). If the metric is a scripted data collection, this name appears on the post incident report. Category The category that the metric belongs to. The system automatically populates this category if you create a new metric from the Metric Category form. Note: You cannot change the category if the Depends on field is set or if another metric depends on this metric Method Indicates the type of metric, as follows: Assessment: A question that has no default value. There are several data types that can be defined in the Data Type field on the Field Type tab, such as check boxes, choice lists, text input. Script: Scripted metric. Obtain values by writing a custom script. The Script method is compatible with the Duration, Number, and Percentage data types. Default answer from field: A question where the default response comes from a selected field in the security incident. Selecting this option adds two fields to the General tab: Default answer: Select the field in the security incident that contains the default answer for the question. For example, for the question: "Who initially reported this incident?," the Requested by field would be a likely choice. Ask question: Specifies when to ask the question: always or only if the Default answer field is empty. Using the example above, the question would be asked if the Requested by field is empty. Default answer from script: A question where the default answer comes from a script. The answer may be a number, string, or percentage. The General tab adds a field: Ask question: as the Specifies when to ask the question: always or only if the script does not provide a default answer. The script is defined on the Field Type tab. Note: If you select a Data type that is incompatible with the selected Method, the system automatically changes the Method to a compatible value. 100

101 Field Weight [Required] Numeric value that represents the importance of this metric relative to other metrics in the same category. By default, the weight is 10. This field is visible and required unless the Data type is Date, Date/Time, or String. These data types are not included in results calculations. Order [Required] Numeric value that determines the order of the metric question on assessment questionnaires, relative to other metric questions in the same category. The metric with the smallest order value appears as the first question in the category section. By default, the order is 100. Note: It does not matter which order value you use for metrics with the Script method, as they do not appear on questionnaires. Active Check box that determines whether this metric is used. If the check box is not selected, it is as if the metric record does not exist. Mandatory Check box that makes the metric question mandatory (selected) or optional (cleared) on assessment questionnaires. Users cannot submit questionnaires until they provide valid responses to all mandatory questions, which are denoted by a red field status indicator. This field is visible only if the Depends on field is empty, and the data type is not Checkbox. 6. Click the General tab and fill in the fields, as appropriate. Table 36: General tab Field Question Text to use as the question on security incident review questionnaires. Enter a clear, straightforward question that is easy to answer, such as How did we contain the incident Information about the metric and what it evaluates. If the Method is Assessment, include details that help users understand how to answer the question. This text appears as a hint when a user points to the question text on the questionnaire. 101

102 Field Depends on and Displayed when Select a question in the Depends on field that the current question depends on. For example, the question, "What additional logs were needed?" depends on the question "Were all needed logs available?" Next, use the Displayed when field to identify when you want the dependent question to appear in questionnaires. For example, if you want the dependent question to be asked only when the user answers No to the "Were all needed logs available?" question, select No in the Displayed when field. Note: The system prevents the creation of recursive dependencies between metrics. For example, if Metric A depends on Metric B, Metric B cannot depend on Metric A. 7. Click the Field Type tab and fill in the fields, as appropriate. Table 37: Field Type tab Field Data type The data type of the expected response the list of types available depends on for the selected method. If the method is Assessment, the data type determines how users answer the corresponding question on questionnaires. If the method is Script, the data type determines how the system calculates assessment results. Note: If another metric depends on this metric, you cannot change the data type. Randomize answers Check box that determines whether to present the answer options for this metric question in a random order each time a user opens an assessment questionnaire that contains the question. Answer preference can be influenced by the order in which answer options appear. This can result in biased results. Randomizing answer options can help prevent this bias. This field is visible only if you select Likert scale or Choice in the Data type field. Dependent plugin [Required if the Method is Script.] Plugin that contains the tables queried in the script. The system executes the metric script only if the plugin is active. The default available values are Asset Management, CMDB, Core, Cost Management, Procurement, and Software Asset Management. This field is visible only if the Method is Script. Note: If the Core default value is used, the script is always run. Note: If you are an administrator, you can add more choices of plugins to the field. 102

103 Field Scale definition Setting that determines whether lesser or greater numerical values equate to a good score in assessment result calculations. Select Low if lesser numerical values are better, such as for a metric that measures the number of defects for a vendor. Select High if greater numerical values are better, such as for a metric that measures user satisfaction on a scale of one to five. The default value is High. This field is visible and required unless the Data type is Date, Date/ Time, or String. The results for these data types are not included in results calculations. Min Lowest numerical value to be used as an answer option on assessments or as a scaled value in a scripted metric. This field is visible and required only if certain data types are selected. If the data type is Choice or Likert Scale, this field is readonly and is set automatically based on the smallest metric definition Value. Max Highest numerical value to be used as an answer option or scaled value. This field is visible and required only if certain data types are selected. If the data type is Choice or Likert Scale, this field is readonly and is set automatically based on the largest metric definition Value. Script Script that obtains the desired system information. The script has one input variable, set with the ID of the security incident (primary), and three possible output variables set by the script, string_result, scaled_result, and actual_result. When the data type is String, only the string_result is required. For more information about using this field, see Script Method. This field is visible and required when the Method is Script, or the default value comes from a script. Template A predefined set of common answers to use for the question. For example, a frequency template would likely start with a value of "Never," and go up to the top value of "Always." This field is visible and required only if the Data type is Template. Note: If another metric depends on this metric, you cannot change the template. 8. Optional: When you have completed your entries, click Update. Security Incident Response Orchestration With Security Incident Response Orchestration, you can interact with and retrieve data from Windows or UNIX-based systems and environments using workflow orchestration. 103

104 For more information on editing Security Incident Response Orchestration workflows or creating custom workflows, see Workflow and Workflow editor. Set up Security Incident Response Orchestration In order to use activites within workflows you must first set up Security Incident Response Orchestration. You need a fully populated CMDB with domain names to use Security Incident Response. For more information, see Discovery. Role required: admin Prior to using Security Incident Response Orchestration, perform steps to set up various parts of the system, including populating the CMDB, configuring the MID Server, and configuring credentials Activate the Security Incident Response plugin. Configure the mid-server. Configure credentials. You are now ready to use Security Incident Response Orchestration activities within a workflow. Security Incident Response Orchestration workflows and activities Several workflows are included with Security Incident Response Orchestration. Workflows and activities automate and expedite your processes. Use workflows to request scans, retrieve statistics, retrieve processes, obtain details, and more. Create IoC Lookup Request for IoC Changes workflow A business rule triggers the Security Incident Response - Create IoC Lookup Request for IoC Changes workflow to run automatically when an IoC is added or changed. Entering new data triggers malware scans and only the new data is scanned. Role required: sn_si.basic If the IoC is empty, the workflow does not run. Historical scans are retained and viewable in the Security Scan Requests tab and work notes of the security incident. Existing security incidents automatically update. Workflow process activities include: Run Audit Log script Create IoC Lookup Request activity on page

105 Retrieve network statistics with the Get Network Statistics workflow The Security Incident Response - Get Network Statistics workflow retrieves the network statistics for an affected Windows-based resource when added to a security incident in the Analysis state. Role required: sn_si.analyst For new security incidents, the workflow runs automatically when you submit the incident with a selected configuration item and when the state automatically changes to Analysis. If the incident remains in the Draft state, the workflow does not run. Existing security incidents automatically update when in the Analysis state and a new configuration item is added. Workflow process activities include: Run Audit Log Enrichment script Get Configuration Item FQDN activity on page 437 Get Network Statistics via netstat activity on page 440 Create Enrichment Data records activity on page

106 Open a security incident. Update the State to Analysis, if necessary. Add a configuration item (computer, server, or similar). Click Update. 106

107 Security Incident Response Orchestration provides network statistics information in the Related Links > Security Incident Enrichments tab. For more information see, enrichment data mapping on page 424. Retrieve running processes with the Get Running Processes workflow The Security Incident Response - Get Running Processes workflow retrieves the running processes of a configuration item when added to a Windows-based security incident in the Analysis state. Role required: sn_si.analyst For new security incidents, the workflow runs automatically when you submit the incident with a selected configuration item and when the state automatically changes to Analysis. If the incident remains in the Draft state, the workflow does not run. Existing security incidents automatically update when in the Analysis state and a new configuration item is added. Note: For information on using the Get Running Processes via WMI activity in workflows, see Retrieve running processes with the Get Running Processes workflow on page 107. Workflow process activities include: Run Audit Log script Get Configuration Item FQDN activity on page 437 Get Running Processes via WMI enrichment data mapping on page

108 Open a security incident. Update the State to Analysis, if necessary. Add a configuration item (computer, server, or similar). Click Update. 108

109 Security Incident Response Orchestration provides running process information in the Related Link > Security Incident Enrichments tab. For more information, see enrichment data mapping on page 424. Get Threat Details and Delete workflow The Security Incident Response - Get Threat Details and Delete workflow returns threat details from an Exchange Server search. You can delete the s upon approval. In the security incident, the Delete from Exchange button on the Exchange Search form triggers the workflow when the Query result is set to Return details. 109

110 Workflow process activities include: 110

111 Runs a script to fetch a search query from all associated active search criteria records to run on the Exchange Server using the Get Details from Exchange Server activity on page 438. Runs a script to create search results from the previous activity. Field Value Action Search for Delete/Delete. Result type Details. count Integer (total number of s found). Appears only with the Delete action. Search query Query text string runs on the Exchange Server. date received Timestamp for when the arrived. Appears only with the Search for Delete action. read status Read/Not Read. Appears only with the Search for Delete action. Recipient Full address. Appears only with the Search for Delete action. Search date Timestamp for when the workflow ran. Message ID message ID from the Exchange Server. Included only with the Search for Delete action. (Not displayed.) Approval - User. Note: Users with sn_si.admin roles are automatically added as approvers. If any one admin approves, the workflow continues. Runs a script to add a work note to all associated security incidents when approval is requested and when request is approved or rejected. Deletes s upon approval using the Search/Delete Threat in Exchange activity on page 443. Creates an Exchange Search Results record as follows: Note: The details are not returned nor displayed in the Delete result. 111

112 Adds a work note to all associated security incidents with deletion result. Log message. Note: Any PowerShell script errors are recorded in the system logs. 112

113 113

114 Return Details from Exchange workflow The Security Incident Response - Return Details from Exchange workflow returns details from the threat s found on the Exchange Server. In the security incident, the Query Exchange button on the Exchange Search form triggers the workflow when the Query result is set to Return details. 114

115 Workflow process activities include: 115

116 Runs a script to fetch a search query from all associated active search criteria records to run on the Exchange Server using the Get Details from Exchange Server activity on page 438, Creates an Exchange Search Results record as follows: Field Value Action Search. Result type Details. count N/A. Search query Query text string runs on the Exchange Server. date received Timestamp for when the arrived. read status Read/Not Read. Recipient Full address. Search date Timestamp for when the workflow ran. Message ID message ID from the Exchange Server. (Not displayed.) 116

117 Log Message. Note: Any PowerShell script errors are recorded in the system logs. 117

118 118

119 Return Total s Found in Exchange workflow The Security Incident Response - Return Total s Found in Exchange workflow returns the total number of threat s found on the Exchange Server. In the security incident, the Query Exchange button on the Exchange Search form triggers the workflow when the Query result is set to Return count. 119

120 120

121 Workflow process activities include: Runs a script to fetch a search query from all associated active search criteria records to run on the Exchange Server using the Search/Delete Threat in Exchange activity on page 443. Creates an Exchange Search Results record as follows: Field Value Action Search Result type Count count Integer (total number of s found) Search query Query text string runs on the Exchange Server date received N/A read status N/A Recipient N/A Search date Timestamp for when the workflow ran Log Message. 121

122 Note: Any PowerShell script errors are recorded in the system logs. 122

123 123

124 Search and Delete Threat s workflow The -Security Incident Response - Get Threat Details and Delete workflow returns the number of threat s from an Exchange Server search and lets you delete them. The search query can take some time to complete. Once the count is received, approval is required to delete s from an Exchange server. In the security incident, the Delete from Exchange button on the Exchange Search form triggers the workflow when the Query result is set to Return count. 124

125 Workflow process activities include: Runs a script to fetch a search query from all associated active search criteria records to run on the Exchange Server using the Search/Delete Threat in Exchange activity on page 443. Runs a script to create search results from the previous activity. 125

126 Field Value Action Search for Delete Result type Count count Integer (total number of s found) Search query Query text string runs on the Exchange Server date received N/A read status N/A Recipient N/A Search date Timestamp for when the workflow ran Approval - User. Note: Users with sn_si.admin roles are automatically added as approvers. If any one admin approves, the workflow continues. Runs a script to add a work note to all associated security incidents when approval is requested and when request is approved or rejected. Deletes s upon approval using the Search/Delete Threat in Exchange activity on page 443. Creates an Exchange Search Results record as follows: 126

127 Adds a work note to all associated security incidents with deletion result. Logs Message. Note: Any PowerShell script errors are recorded in the system logs. 127

128 128

129 Create IoC Lookup Request activity The Create IoC Lookup Request activity can be used with any workflow to create a malware lookup request for added or modified IoC fields. Activity results Possible results for this activity are: Table 38: Results Result Success Lookup request created. Failure Lookup request not created. Table 39: Input variables Variable iocstring JSON formatted IoC information (IP, hash, or url). siid Security incident system identifier. Output variables The output variables contain data that can be used in subsequent activities. Table 40: Output variables Variable scnreqid Lookup request identifier. Components installed with Security Incident Response Several types of components are installed with Security Incident Response. Activating the security incident response plugin adds or modifies several tables, user roles, and other components. Demo data is available with Security Incident Response. Tables installed with Security Incident Response Security Incident Response adds the following tables. 129

130 Table 41: Tables for Security Incident Response Table Security Incident Stores a security incident, the responses to the incident, all linked tasks, changes, problems, and incidents related to this security incident. [sn_si_incident] Security Incident Import Creates security incidents from external systems. [sn_si_incident_import] Security Incident Attack Vectors Attack vector options. [sn_si_attack_vector] Security Incident Audit Log Stores security incident enrichment audit logs. [sn_si_audit_log] Security Incident Calculator [sn_si_calculator] Security Incident Calculator Group [sn_si_calculator_group] Security Incident Enrichment Firewall [sn_si_enrichment_firewall] A calculator to set certain security incident fields when certain conditions are met. A grouping of security incident calculators. The order of the calculator group determines which group is evaluated first, and in each group, one calculator at most is used. Extends from the base table (sn_sec_cmn_enrichment_data_base), includes all enrichment records specific to Palo Alto Networks Firewall. Security Incident Enrichment Malware Results Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes [sn_si_enrichment_malware] all enrichment records specific to malware. Security Incident Enrichment Network Statistics [sn_si_enrichment_network_statistics] Security Incident Enrichment Running Processes [sn_si_enrichment_running _processes] Security Incident Exchange Search [sn_si_m2m_incident_exchange_search] Security Incident Process Definition [sn_si_process_definition] Security Incident Process Definition Selector [sn_si_process_definition_selector] Security Incident Related Customer Service Case Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to network statistics. Extends from the base table (sn_sec_cmn_enrichment_data_base) and includes all enrichment records specific to running processes. Maps exchange search records to security incidents. Stores configuration for Security Incident process flows. Sets the Security Incident Process Definition to use for security incidents. Maps customer service cases and security incidents. [sn_si_m2m_incident_customerservice_case] 130

131 Table Security Incident Related Enrichment Data Associates security incident conditions or filters with a knowledge article. Used to specify runbook procedures for security incident remediation. [sn_si_m2m_incident_enrichment] Security Incident Runbook Document [sn_si_runbook_document] Security Incident Response Task [sn_si_task] Security Incident Response Task Template [sn_si_task_template] Security Incident Template Defines the severity, impact, risk, and criticality values for a security incident. Manages subtasks related to handling a security incident. These tasks can be assigned to security personnel, or to people in other departments, to manage interdepartmental communication and task tracking. Used to create a Security Incident Response task. These templates are often used in catalog entries, to automatically create a set of appropriate subtasks for a particular type of security incident. Used to create a security incident. These templates are often used in catalog entries to create a prebuilt security incident. [sn_si_incident_template] Security Request A security-related request to the security team. [sn_si_request] Security Scan Request A request for a threat lookup. [sn_si_scan_request] Severity Calculator Defines the severity, impact, risk, and criticality values for a security incident. sn_si_severity_calculator Task Affected User [sn_si_m2m_task_affected_user] A many-to-many table associating security incidents with affected users. Properties installed with Security Incident Response Security Incident Response adds the following properties. Table 42: Security Incident properties Property Usage Allow multiple CSM cases from a Security Incident. When set to true, keeps the Create CSM Case button available on the security incident. When set to false, only one case can be created and the button disappears for that incident. sn_si.allow_multiple_csm_cases Type: true false Default value: false Location: Security Incident > Administration > Properties sn_si.allow.toll.roads Allow toll roads to be used. 131

132 Property Usage Used to update estimated travel time. sn_si.autodispatch.geolocation Default end time for all security analysts when no schedule is set, formatted as 17:00 Type: string Default value: 17:00 Location: Security Incident > Administration > Properties Type: string Default value: 08:00 Location: Security Incident > Administration > Properties sn_si.default.end.time Default start time for all security analysts when no schedule is set, formatted as 08:00 sn_si.default.start.time sn_si.evening.rush.hoursevening rush hour span, formatted as 14:30-16:00. Merges the task and agent markers on the geolocation maps with a purple sn_si.map.merge.task.agent.markers marker. Morning rush hour span, formatted as 06:30-08:00. sn_si.morning.rush.hours Allow customization when creating a problem or change request from a Security Incident sn_si.popup When a problem or change is created, this property opens a pop-up window to modify the request. If set to false, the problem or change request has the same priority, short description, and description as the security incident without the option to add or edit those fields. Type: true false Default value: true Location: Security Incident > Administration > Properties sn_si.rush.travel.buffer Percentage to add to all rush hour travel times. sn_si.travel.buffer Percentage to add to all travel times. An example of a valid percentage value is 15. sn_si.unlocked Admin users can access Security Incident Response. Assignment properties for Security Incident Response Location Weight sn_si.location.weight A rating used when calculating the criteria to use for auto-assigning a security analyst. If, for example, location is considered for a task, the location weight value is added to the security analyst rating. Type: integer Default value: 10 Location: Security Incident > Administration > Properties 132

133 Property Usage Skills Weight A rating used when calculating the criteria to use for auto-assigning a security analyst. If, for example, skills are considered for a task, the skills weight value is added to the security analyst rating. sn_si.skills.weight Set the maximum number of security analysts that are processed by autoassignment at a time Type: integer Default value: 10 Location: Security Incident > Administration > Properties The system has an absolute limit of 300 security analysts. If you specify more than 300, it sets the value to that level. The system cannot autodispatch a task for a dispatch group that contains more security analysts than the value configured. Type: integer sn_si.max.agents.processed Default value: 100 Location: Security Incident > Administration > Properties Time Zone Weight A rating used when calculating the criteria to use for auto-assigning a security analyst. If, for example, the security analyst time zone is sn_si.timezone.weight considered for a task, the time zone weight value is added to the security analyst rating. Amount of time (in minutes) to add between the end of a task and the travel start of the next. sn_si.work.spacing Type: integer Default value: 10 Location: Security Incident > Administration > Properties Amount of time to add between the end of a task and the travel start of the next. An example of a valid time value is 10. Type: integer Default value: 0 Location: Security Incident > Administration > Properties Roles installed with Security Incident Response Security Incident Response adds the following roles. 133

134 Table 43: Roles for Security Incident Response Role title [name] security admin Full control over all Security Incident Response data. Also administers territories and skills, as needed. Note: In the base system, the administrator also has access to sn_si.admin. Security Incident Response can be restricted from the administrator as long as at least one other user [sn_si.admin] Contains roles catalog_admin skill_admin skill_model_admin sn_si.analyst sn_si.manager sn_si.knowledge_admin sn_si.manager template_admin template_editor_global territory_admin treemap_admin user_admin is assigned the security admin role. security analyst [sn_si.analyst] security basic [sn_si.basic] ciso [sn_si.ciso] external [sn_si.external] Tier 1 and 2 security analysts work on security incidents. They can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents. sn_si.basic sn_vul.vulnerability_read (if the Vulnerability Response plugin is activated) Underlying role for basic Security access. Users with this role can create and update security incidents, requests, and tasks, as well as problems, changes, and outages related to their incidents. document_management_user grc_user (if the GRC:Risk plugin is activated) inventory_user pa_viewer service_fullfiller skill_user sn_si.read task_activity_writer task_editor treemap_user View and manipulate the CISO dashboard. Also, if the Vulnerability Response plugin is activated, users with this role can add vulnerability significance definition treemaps to the dashboard. pa_viewer sn_si.read External users can view tasks assigned to them. service_fulfiller 134

135 Role title [name] Contains roles integration user External tools can provide new security incident records and update security incident records. import_transformer Manage, update, and delete the information in the Security Incident knowledge base. knowledge_admin sn_si.basic [sn_si.manager] Same access as security analysts, with the additional ability to adjust the members of assignment groups. read Read security incidents. grc_compliance_reader (if the GRC:Risk plugin is activated) [sn_si.integration_user] knowledge admin [sn_si.knowledge_admin] manager [sn_si.read] special access [sn_si.special_access] Users without a security role can interact with a security incident. The special access role is used with the Read access and the Privileged access lists. To interact with a security incident, you must be in the special access role and assigned to one of the special access lists (read or privileged). Users with special access roles have their own module containing all security incidents assigned to them. No other modules are available to them. No one else can see the Visible to Me module. Script includes installed with Security Incident Response Security Incident Response adds the following script includes. Table 44: Script includes for Security Incident Response Script include CalculateSeverity Handles the security incident severity calculations and rules. ChecklistTemplateApplicator Convenience script to apply a checklist to a security incident. 135

136 Script include ProcessDefinition Controls the Security Incident and Security Incident Response Task life cycle. Determines which states are available, in what order, and which state transitions are permissible. ProcessDefinitionAjax Provides client-side functionality for Process Definition logic. ProcessDefinition_Example Sample process flow definition implementation. ProcessDefinition_Kill_Chain Kill chain process flow definition implementation. ProcessDefinition_NIST_Open NIST process flow definition implementation that supports open switching between states. ProcessDefinition_NIST_Stateful NIST process flow definition implementation that restricts open switching between states. The default definition. ProcessDefinition_SANS_Open SANS process flow definition implementation. SecurityAccessUtils A class containing utilities for assigning and managing special access for users without security roles. SecurityAffectedUserUtils A class containing utilities for usage in operations relating to task affected users. SecurityCriticalityCalculator Handles the calculation of business criticality for a security incident. SecurityIncidentAJAX Handles server-side security utility functions. SecurityIncidentAuditLogService Creates audit logs. SecurityIncidentUtils Handles utility functions for security incidents, including some handling of Event fields and creation of problems and change requests. SecurityReviewGenerator Generates a security incident post incident review. Client scripts installed with Security Incident Response Security Incident Response adds the following client scripts. Table 45: Client scripts for Security Incident Response Client script Table Allow state changes Security Incident Allows the state field to be manually set. [sn_si_incident] Change None to Leave Alone Severity Calculator Changes the default value for the severity calculator form. [sn_si_severity_calculator] 136

137 Client script Table Copy Closure info to Work Notes Security Incident When closing an incident, this client script copies the closure information to the work notes. This action is for documentation purposes, as well as to prevent any messages when the configuration is set to require work notes. Handle wait for start Security Scan Request [sn_si_incident] The wait for start flag is used to mark a manually created scan request not from a catalog, , or other script. It must be set for new items and the check box itself is hidden. [sn_si_scan_request] Hide empty fields Security Scan Request Hide fields that are empty and not needed if they are not set on creation. [sn_si_scan_request] Hide select tabs in Draft state Security Incident Hides select section tabs when the security incident is in the Draft state. [sn_si_incident] Hide the closure tab Security Incident Hides the close code, notes, and other closure information until the security incident transitions to the Review or Closed state. There are two client scripts for this action one when the form is loaded and one to update when the state is changed. [sn_si_incident] Populate table Runbook Document Populates the table field in a runbook document form when filter group changes. [sn_si_runbook_document] Set default short description Security Scan Request Sets a default short description when no other short description is provided. [sn_si_scan_request] Show kb article if runbook exists Runbook Document sn_si_incident change state Security Incident Displays the related fields when the knowledge base article is populated. [sn_si_runbook_document] Handles state flows of all field controls. [sn_si_incident] sn_si_incident state process Security Incident State flow handling of permitted states. [sn_si_incident] sn_si_task process definition Security Incident Response Task State flow handling of permitted states. [sn_si_task] 137

138 Client script Table Toggle rel lists for scan type onchange Security Scan Request Determines which related lists to show depending on the scan type. [sn_si_scan_request] Business rules installed with Security Incident Response Security Incident Response adds the following business rules. Table 46: Business rules for Security Incident Response Business rule Tables Add extended info into SI Alert When an alert creates a security incident and has additional information for a security incident, this business rule pulls that information into the security incident. [em_alert] Auto assessment business rule Security Incident Supports assessments for security incident post incident review functionality. [sn_si_incident] Auto deletion rule for Assessments Security Incident Calculate business criticality Security Incident Handles deletion of assessable records for security incidents when no longer needed (Post Incident Report support). [sn_si_incident] Calculates the business criticality whenever a vulnerability record is saved or updated. [sn_si_incident] Calculate Severity Security Incident Runs the security incident calculators when the security incident is created or when a configuration item is updated. [sn_si_incident] Clean special access lists Security Incident If a user with the Special access role was added to both the Read access and Privilege access lists, only the Privilege access permissions persist. sn_si.incident Close child security incidents Security Incident Closes child security incidents when the parent security incident is closed [sn_si_incident] Copy CI And User Security Incident Response Task Copies CI and user from a security incident to its child response task. [sn_si_task] 138

139 Business rule Tables Copy location Security Incident Response Task Copies the location from the security incident Location field to the new task. [sn_si_task] Create Knowledge On Closure Security Incident If Create Knowledge Article is selected on a security incident form, this rule creates a knowledge base article when the incident is closed. [sn_si_incident] Disallow closure with open response task Security Incident Prevents a security incident from closing if there are open response tasks. [sn_si_incident] Dont allow new tasks for closed Security Incident Response incident Task Prevents new response tasks from being created for closed security incidents. [sn_si_task] Generate PIR PDF Security Incident Generates a post incident review PDF document. [sn_si_incident] Generate PIR when in Review and Close Security Incident Handle assessments Security Incident Automatically generates the post incident report when changes are made to the incident while in the Review or Closed state. [sn_si_incident] Facilitates the creation of assessments for the security incident. [sn_si_incident] Handle assessments setup Security Incident Handles assessments in support of Post Incident Review functionality. [sn_si_incident] Limit Sec Manager Admin User access Group Member Manage special access role Security Incident Prevents security users from making modifications to non-security groups. [sys_user_grmember] Gives the special access role to users added to either the Read access or Privileged access fields on the Security Incident Response form. sn_si.incident Messages Severity Calculator Stores the "Leave alone" message for the severity calculator client script. [sn_si_severity_calculator] 139

140 Business rule Tables Prevent duplicate runbook articles Runbook Document On update/insert of the article, checks whether the combination of filter conditions or filters, and KB article exists. If so, the transaction is rolled back. Prevent non-security roles reading [sn_si_runbook_document] Application Menu [sys_app_application] Attachment [sys_attachment] History [sys_history_line] Journal Entry [sys_journal_field] Product Model [cmdb_model] Security Incident Attack Vectors [sn_si_attack_vector] Severity Calculator [sn_si_severity_calculator] Task [task] Prevents an administrator and other non-security roles from viewing any part of the Security Incident Response data. 140

141 Business rule Tables Prevent non-security roles updating Prevents an administrator and other non-security roles from viewing or updating any part of the Security Incident Response data. Contained Role [sys_user_role_contains] Group Member [sys_user_grmember] Group Role [sys_group_has_role] Security Incident [sn_si_incident] Security Incident Attack Vectors [sn_si_attack_vector] Security Incident Flow [sn_si_sf_incident] Security Incident Response Task [sn_si_task] Security Incident Response Task Flow [sn_si_sf_task] Security Incident Response Task Template [sn_si_task_template] Security Incident Template [sn_si_incident_template] Severity Calculator [sn_si_severity_calculator] SM Configuration [sm_config] SM Notification Rule [sm_notification_rule] System Property [sys_properties] User [sys_user] User Role [sys_user_has_role] Process definition change Security Incident Process Definition Selector Handles the change of the selected security incident process definition. [sn_si_process_definition_selector] Propagate work notes to child incidents Security Incident Refresh impacted services on CI change Security Incident Regen PIR on closure/cancel/ update Assessment Instance Pushes work notes made on a parent security incident to children security incidents. [sn_si_incident] When the configuration item (CI) changes, this rule updates the list of affected services. [sn_si_incident] [asmt_assessment_instance] Regenerates post incident review report when a security incident is closed, canceled, or updated. 141

142 Business rule Tables Request for IoC lookup Security Incident Computes the security incident observable fields delta and launches the workflow to create a lookup request. [sn_si_incident] Require assessments to be complete Security Incident Set initial state Security Incident Prevents security incidents from being closed until all assessments are completed. [sn_si_incident] Sets the initial state of the associated task [sn_si_incident] Security Incident Response Task [sn_si_task] Store assignee Security Incident When an incident is reassigned, the newly assigned security analyst is added to the list of people who must complete any post incident review questionnaire created for the incident. [sn_si_incident] Store external url in scratchpad Security Incident Stores the external URL for use when drilling down to the originating data for a security incident created by an external event. [sn_si_incident] Sync affected users Trigger Workflows Syncs the affected users Security Incident between [sn_si_incident] the security incident, the Task Affected User Security Incident Response [sn_si_m2m_task_affected_user] task, and the many-to-many Security Incident Response tables. Task [sn_si_task] Security Incident Triggers security incident workflows when conditions are met. [sn_si_incident] CIs Affected [task_ci] Update related incident Security Incident As more comments (not work notes) are added to a security incident, this rule updates the originating incident, if there is one. [sn_si_incident] 142

143 Business rule Tables Update security incident As updates are made to the change request, updates the originating security incident. Validate state change Change Request [change_request] Incident [incident] Problem [problem] Security Incident Checks that a state change being made on a security incident or response task is valid. [sn_si_incident] Security Incident Response Task [sn_si_task] Verify at least one filter in advanced Runbook Document If the Advanced option is selected, ensures that at least one filer is listed. If not, it prevents the update or insert. [sn_si_runbook_document] Note: The Prevent non-security roles reading and Prevent non-security roles updating business rules depend on a property in Security Incident Properties. If the Admin users can access Security Incident Response property is set to No, these business rules are invalid. Content packs for Security Incident Response Content packs contain preconfigured best practice dashboards. These dashboards contain actionable data visualizations that help you improve your business processes and practices. Note: You can activate Performance Analytics content packs and in-form analytics on instances that have not licensed Performance Analytics Premium to evaluate the functionality. However, to start collecting data you must license Performance Analytics Premium. Content packs The Performance Analytics widgets on the dashboard visualize data over time. These visualizations allow you to analyze your business processes and identify areas of improvement. With content packs, you can get value from Performance Analytics for your application right away, with minimal setup. Note: Content packs include some dashboards that are inactive by default. You can activate these dashboards to make them visible to end users according to your business needs. To enable the content pack for Security Incident Response, an admin can navigate to Performance Analytics > Guided Setup. Click Get Started then scroll to the section for Security Incident Response. The guided setup takes you through the entire setup and configuration process. Vulnerability Response The National Vulnerability Database (NVD) and many other sources collect information about known vulnerabilities, such as weaknesses in software, operating systems that can be exploited by malware, and 143

144 other attacks. The Vulnerability Response application aids you in tracking, prioritizing, and resolving these vulnerabilities. Explore Set up Administer Vulnerability Response release notes Upgrade to Vulnerability Response overview on page 144 videos Activate Vulnerability Response on page 145 NVD and CWE data import on page 146 NVD and CWE updates on page 171 Vulnerability Response monitoring on page 151 Use Develop Integrate Vulnerability groups on page 158 Vulnerability scanners and scans on page 185 Vulnerability calculators on page 146 Developer training Developer documentation Vulnerability Response Orchestration on page 191 Components installed with Vulnerability Response on page 196 Vulnerability integration definitions on page 150 integrations on page 256 Security Operations integration development guidelines on page 256 Troubleshoot and get help Ask or answer questions in the community Search the HI knowledge base for known error articles Contact Support Vulnerability Response overview Vulnerability Response, you can compare the library of known vulnerabilities to find Configuration Items (CIs) with vulnerable software (as identified in the Asset Management module). The vulnerability data can be pulled from internal and external sources, such as the NVD. For CIs with software affected by a vulnerability, you can create changes, problems, and security incidents. You can also view the library of Common Weakness Enumeration (CWE) records from the NVD to understand how they relate to the Common Vulnerability and Exposure (CVE) records. Knowledge articles associated with the CWEs are included for reference. As needed, you can update your system from the vulnerability databases on demand or by running user-configured scheduled jobs. If the Qualys Vulnerability Integration plugin is activated and configured, Vulnerability Response can receive vulnerability data from the Qualys scanner in the form of vulnerabilities and vulnerable items. You can also assign and remediate groups of CIs in bulk. Vulnerability Response terminology The following terms are used in Vulnerability Response. 144

145 Term Definition CVE Common Vulnerability and Exposure a dictionary of publicly known information-security vulnerabilities and exposures. CVSS Common Vulnerability Scoring System an open framework for communicating the characteristics and severity of software vulnerabilities. CWE Common Weakness Enumeration a list of software vulnerabilities. Discovery models Software models used to help normalize the software you own by analyzing and classifying models to reduce duplication. Vulnerability calculators on page 146 Calculators used to prioritize and categorize vulnerabilities based on userdefined criteria. Vulnerability integrations on page 177 A process that pulls report data from a third-party system, generally to retrieve vulnerability data. Vulnerability entries Records of potentially vulnerable software downloaded from the National Institute of Standards and Technology (NIST) NVD. Vulnerable items Pairings of vulnerable entries downloaded from the NIST NVD and potentially vulnerable configuration items and software in your company network. Set up Vulnerability Response Before Vulnerability Response can be used, you must activate the plugin and configure how you want the application to function. Other types of information be can be set up to manage vulnerabilities within the application. notifications templates Integrations SLAs Activate Vulnerability Response Activate the Vulnerability Response plugin and configure it based on the needs of your organization. This plugin is available as a separate subscription. Role required: admin Vulnerability Response activates these related plugins if they are not already active. Table 47: Plugins for Vulnerability Response Plugin Software Asset Management Core Provides the base tables for software asset management. Includes software installations, usages, suite calculations, and discovery models. [com.snc.sam.core] 145

146 Plugin Security Support Orchestration Provides an integration of with Orchestration to allow the facilitation of workflow activities within Security Incident Response, Threat Intelligence or Vulnerability Response. [com.snc.secops.orchestration] Vulnerability Response Support [com.snc.security_support.vul] Provides support functionality for use within the Vulnerability Response application. To purchase a subscription, contact your account manager. After purchasing the subscription, activate the plugin within the production instance Navigate to System Definition > Plugins. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. 4. If the plugin has optional features that are not functional because other plugins are inactive, those plugins are listed. A warning states that some files are not installed. If you want the optional features to be installed, cancel this activation, activate the necessary plugins, and then return to activating the plugin. Optional: If available, select the Load demo data check box. Some plugins include demo data sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good policy when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. NVD and CWE data import With Vulnerability Response, you can compare vulnerability data to CIs and software identified in the Asset Management module. The vulnerability data can be imported from internal and external sources, such as the NVD. You can also use CWE records downloaded from the CWE database for reference when deciding whether to escalate a vulnerability. For detailed import instructions, see NVD and CWE updates on page 171. Vulnerability calculators Vulnerability calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated. All enabled vulnerability calculators in the Vulnerability Calculator Group run each time a vulnerable item is changed or when the Calculate Business Impact related link in a vulnerable item is used. The Vulnerability Response base system includes the vulnerability calculator called Score and Service Based Impact. It is contained in a Vulnerability Calculator Groups called Vulnerability Impact. Its purpose is to calculate the business criticality of a vulnerable item. It is based on the CVSS of the item and the criticality level of the most impacted business service. For more information on the CVSS, see the NVD website. 146

147 From an existing vulnerable item, if you click the Calculate Business Impact related link and Score and Service Based Impact is enabled, you get an on-demand calculation of the business criticality of the vulnerable item. Note: The Calculate Business Impact related link is only visible when at least one vulnerability calculator is enabled. Vulnerability calculators can prioritize and categorize vulnerabilities based on any custom criteria you want to use. For example, when the Score and Service Based Impact calculator is enabled, it prioritizes based on the importance of the business services relying on an affected CI. It is useful if the Business Services plugin is installed and Business impact is set to reflect your business priorities. Calculators can be built to prioritize and rate the impact of Vulnerable Items based on any criteria you like. Whether it is the business impact of the vulnerability, the class of the CI, the age of the Vulnerable Item. A calculator can be written to reflect any set of priorities. Note: The Score and Service Based Impact calculator is disabled by default. How the Score and Service Based Impact calculator works When a new vulnerable item is created, the Score and Service Based Impact calculator runs the following script: var ciu = new global.ciutils(); var services = ciu.servicesaffectedbyci(current.cmdb_ci.tostring()); var hassvc = false; if (services.length > 0) { var svc = new GlideRecord( cmdb_ci_service ); svc.addquery( sys_id, IN, services.join(, )); svc.addnotnullquery( busines_criticality ); // typo intended svc.orderby( busines_criticality ); svc.query(); hassvc = svc.next(); } if (!hassvc) { // Always set to lowest if there are no impacted services (or if none with criticality/impact set) current.business_criticality = 3; // lowest } else { var svccritchoices = GlideChoiceList.getChoiceList( cmdb_ci_service, busines_criticality ); var svccritsize = svccritchoices.getsize(); var vicritchoices = GlideChoiceList.getChoiceList( sn_vul_vulnerable_item, business_criticality ); var vicritsize = vicritchoices.getsize(); var bc = svc.getvalue( busines_criticality ); var bcweight = 0; for (var i = 1; i <= svccritsize; i++) { if (bc.startswith(i)) bcweight = (svccritsize i) * 100 / svccritsize; } The script performs the following functions: First, it creates a list of all CIs that are linked to the vulnerable item and any business services that are marked as depending on the CI. 147

148 It queries and gets results of services that have business criticality (where criticality is not null), and orders them with the most critical ones first. It gets the choice lists for the vulnerable item and business criticality fields. If there are no business services in the list, the criticality is set to the lowest level. If there are business services in the list, the business criticality for all services is calculated. The weight of each vulnerable item is picked up from its CVSS score and is used to compute the new criticality. When the computation is complete, the updated criticality is displayed in the Business impact field of the Vulnerable Item screen. To prevent performance issues, when creating a calculator specify exactly when your severity calculator should or should not run. For example, when enabled, the Score and Service Based Impact calculator only runs when both a configuration item and vulnerability are present and if one of these items has changed. If neither has changed, there is no reason to assume that severity has changed. This specification is important if you have a script-based calculator. If you create a calculator that uses a condition that checks to see if values have changed, when you click the Calculate Business Impact related link these conditions are removed. It assumes that by clicking the link you want to run the calculator even though items have not changed. If your calculator uses an Advanced condition, those conditions are not changed. To write a script that only considers if something changed when an item is updated see the Score and Service Based Impact script code as an example. Create a vulnerability calculator A vulnerability calculator is a pre-defined formula to calculate the severity of security incidents when certain criteria are met Allow the vulnerability admin to see values to apply to the template by providing full read and write (or save_as_template) capabilities on any table used by calculators. Roles required: sn_vul.vulnerability_admin. Navigate to Vulnerability > Administration > Vulnerability Calculator Groups. Click the name of the group for which you want to create a calculator, or create a new group and then create a calculator for that group using the following steps. In the Vulnerability Calculators related list, click New. Fill in the fields on the form, as appropriate. Table 48: Vulnerability calculator form Field Name The name of the vulnerability calculator. Calculator Group Displays the group for which you are creating this calculator. 148

149 Field Table Select the table to be used for this calculator. Note: When you add calculators to tables other than Vulnerability [sn_vul_vulnerability] or Vulnerable Item [sn_vul_vulnerable_item], add business rules and UI Actions to those tables. To see examples: Navigate to System Definition > Business Rules and locate the Calculate Criticality business rule on the Vulnerable Item [sn_vul_vulnerable_item] table. Navigate to System UI > UI Actions and locate the Calculate Criticality UI action on the Vulnerable Item [sn_vul_vulnerable_item] table. Order The order in which the vulnerability calculator is run. A calculator with an order entry of 100 runs before a calculator with an order entry of 200. Active Turn the calculator on or off. A description of this calculator. Right-click the form header and select Save. Two tabs, Conditions and Values to Apply, appear. Fill in the fields in the Conditions tab, as appropriate. Field Use filter group Select this check box to use a predefined filter group or create a new filter group to define the calculator criteria. Filter group Select the filter group to use for defining a calculator. This field appears only if you selected the Use filter groups check box. Use advanced condition Select this check box to indicate that a script condition is used to determine when this calculator is applied. When you select the check box, an Advanced condition scripting field appears. Set the answer variable to true to apply the calculator. If you selected the Use filter group check box, this field is hidden. Note: Before you define advanced conditions and write scripts for determining when the security incident calculators are applied, return to the Vulnerability Calculators list. Explore the vulnerability calculator records shipped with the base system. 149

150 Field Condition Defines basic filter conditions for determining whether the calculator is used. If you selected either of the Use filter group or Use advanced conditions check boxes, this field is hidden. 7. Click the Values to Apply tab and fill in the fields on the form, as appropriate. You have the choice of creating a script for defining the values to apply to the calculation or defining a template based on fields in the selected table. Field Use script values Select this check box to define field values with a script. Script values Defines what values to apply the calculations to. This field appears only if you selected the Use script values check box. Template 8. Right-click the form header and select Save. Select the fields and values you want to use for the calculator. When you have completed all entries, click Submit. Create a vulnerability calculator group The Vulnerability Response base system includes one vulnerability calculator group: Vulnerability Criticality. As you create other calculators, you can add them to this group or create other groups and calculators. Within each group, the first calculator that matches the vulnerable item is run. Role required: sn_vul.vulnerability_admin Vulnerability calculator groups are used to group calculators based on how you want to use them Navigate to Vulnerability > Administration > Vulnerability Calculator Groups. Click New. Fill in the fields on the form, as appropriate. Field Name The name of the vulnerability calculator. Application The application that contains this record. Order The order in which the vulnerability calculator is run. A calculator with an order entry of 100 runs before a calculator with an order entry of 200. A description of this calculator group. Click Submit. Vulnerability integration definitions Vulnerability integrations help enrich the vulnerability data on your instance by retrieving data from external systems and vendors. Vulnerability Response includes some integrations, including the Qualys Vulnerability Integration and Microsoft Security Bulletin Integration. You can add others as needed. 150

151 For detailed instructions on creating integrations, see Define a new vulnerability integration on page 177. Add users to the Vulnerability Response group When the Request Review feature is used to ignore or close a vulnerable item without requiring a scan, the Vulnerability Response group is notified to approve or reject the request. Role required: admin Navigate to User Administration > Groups. Open the Vulnerability Response group. 3. Click the Group Members related list and add the appropriate members to the group. Define Vulnerability Response notifications notifications can be useful when NVD records are uploaded so that analysts are informed when new records have been imported. Creating an notification involves specifying when to send it, who receives it, and what it contains. Role required: sn_vul.vulnerability_admin Navigate to Vulnerability > Administration > Templates. Click New. For detailed instructions for creating notifications, see Create an notification. Define Vulnerability Response templates Creating an notification involves specifying when to send it, who receives it, and what it contains. Role required: sn_vul.vulnerability_admin Navigate to Vulnerability > Administration > Templates. Click New. For detailed instructions for creating templates, see Construct an message with a template. Create a Vulnerability Response SLA To ensure that vulnerabilities are processed correctly, you can define a Service Level Agreement (SLA) for Vulnerability Response. Role required: sn_vul.vulnerability_admin Navigate to Vulnerability > Administration > SLA Definitions. Click New. For detailed instructions, see Create an SLA definition. Vulnerability Response monitoring The Vulnerability Response overview provides several useful reports and charts. Vulnerability significance charts can be added as needed. You can also return Vulnerability Response-related information using the global search feature. 151

152 Vulnerability Response overview The Vulnerability Response homepage provides an executive view into vulnerabilities and vulnerable items, helping security staff pinpoint areas of concern quickly. When the Vulnerability Analytics plugin is activated, users with certain roles can view data of interest to the Chief Information Security Officer (CISO). In each chart, you can point to any part of a chart (bar, pie, data point, etc.) to view general data specific to that part of the chart, as shown. If you click any part of a report, a list opens to provide detailed information. 152

153 Table 49: Vulnerability Overview reports Name Visual Open Vulnerable Items by CI Bar Displays the number of open vulnerable items recorded for each CI, from most to least. Open Vulnerable Items by Vulnerability Bar Displays the number of open vulnerable items associated with vulnerabilities (CVE records), from most to least. Ignored Vulnerable Items Expiring This Week Bar Displays the number of ignored vulnerable items scheduled to be reactivated within 7 days. Vulnerabilities by Week Trend Displays the number of vulnerability entries recorded each week. Vulnerabilities by Model Bar Displays the number of vulnerable items recorded for each model, from most to least. Vulnerabilities by Publisher Bar Displays the number of vulnerable items recorded for each publisher, from most to least. Most Vulnerable Models Donut Displays models with the most vulnerable items. Most Vulnerable Publishers Donut Displays publishers with the most vulnerable items. Vulnerabilities by Impact Bar Displays the number of vulnerability entries for impacted network types. Vulnerabilities by Score Bar Displays the number of vulnerability entries by vulnerability scores. Most Vulnerable CIs Donut Displays CIs with the most vulnerable items. Most Vulnerable CIs by Class Donut Displays CIs with the most vulnerable items, categorized by class. Reopened Vulnerable Items List Lists the age of reopened vulnerable items. Vulnerable Item Age List Lists the number of days since vulnerable items were last opened. CIs with Vulnerability by Date List Lists configuration items that have been scanned within the last 30 days. 153

154 Name Visual CIs not Scanned List Lists configuration items that have never been scanned for vulnerabilities. New Vulnerable Items List Lists all new vulnerable items identified within the last 30 days. Add vulnerability significance charts to the Vulnerability Response homepage You can add vulnerability significance definition charts and other visualizations to the Overview. Role required: sn_vul.vulnerability_admin The Vulnerability Analytics plugin must be activated. 1. Navigate to Vulnerability > Overview. Some reports are added to the homepage by default. For more information about these reports, see Vulnerability Response overview on page Near the homepage header, clickadd content to open the dialog box to add more reports. From the lists in the Add content dialog box, select options to display either the Vulnerability Significance treemap or report Content Options Vulnerability Significance treemap Treemap > Vulnerability Significance > Vulnerability Significance Vulnerability Significance score report Performance Analytics > Score > Services with Vulnerability Significance Click the location on the screen you want to add the gauge. Close the Add content box. Vulnerability Explorer The Vulnerability Response Explorer provides a graphical view into vulnerable item activity, allowing an administrator or analyst to quickly pinpoint areas of concern. The Vulnerability Response Explorer homepage displays vulnerability information that is tailored to the role of the user. Note: When the Vulnerability Analytics plugin is activated, you can can use Interactive filters on the dashboard version. See Vulnerability Explorer dashboard. You can point to any part of a chart (bar, pie, data point, heatmap, and so on) to view general data specific to that part. See the following image. If you click any part of a report, a list opens to provide detailed information. 154

155 155

156 Vulnerability Explorer homepage The Vulnerability Explorer contains the following reports. Table 50: Vulnerability Explorer reports Name Visual Vulnerabilities Single Score Total number of vulnerabilities that match the areas shown. Vulnerability by CWE Bar chart The number of vulnerable items from the Common Weakness Enumerations (CWE) list. Exploitation Complexity over Attack Vector Heatmap The number of vulnerable items per access complexity and access vector. Vulnerable States vs Business Service Criticality Bar chart The number of vulnerable items within each state for each criticality issue. Vulnerability Map map Vulnerable item data by geographical location. The world map is highlighted in every area in which a vulnerability occurs. A map allows you to drill down to vulnerable item information by location. Vulnerability Explorer dashboard The Vulnerability Explorer dashboard displays the same security incident information as the homepage. You can point to any part of a chart (bar, pie, data point, heatmap, and so on) to view general data specific to that part. Interactive filters allow you to customize your view. See the following image. If you click any part of a report, a list opens to provide detailed information. 156

157 157

158 Table 51: Vulnerability Explorer filters Name Visual [Optional] These filters are only available when the Security Incident Analytics plugin is activated. CVE Identifier Drop down menu Provides real-time filtering based on CVE Identifier. Vulnerability Active Radio button Provides real-time filtering based on whether the vulnerability is active. Vulnerability Business Criticality Check box Provides real-time filtering based on business criticality. Access Vulnerability Explorer You can point to any part of a chart (bar, pie, data point, heatmap, and so on) to view general data specific to that part. See the following image. If you click any part of a report, a list opens to provide detailed information. Role required: For homepage and dashboard sn_vul_admin (to write) sn_vul_vulnerability_read (to read) Navigate to Self-Service > Homepage or navigate to Self-Service > Dashboards. Choose Vulnerability Explorer from the reports list. Vulnerability groups Vulnerability groups are used to group vulnerable items based on vulnerability, vulnerable item conditions, or filter group. Notes on Vulnerability Groups Vulnerable items can belong to more than one vulnerability group. When updating the state of a vulnerability group, associated vulnerable items that have not already had their state updated by another vulnerability group, are updated to match this vulnerability group. If a state change on a vulnerability group requires an approval, the group and all associated vulnerable items that have not already been updated by a different vulnerability, are put in the In Review state. If a state change for a vulnerability group is approved, all associated vulnerable items in the In Review state are updated to reflect this change. 158

159 If a state change for a vulnerability group is rejected, the group is reverted to its prior state. All associated vulnerable items, not covered by the In Review state of other vulnerability groups, revert their states back to their prior states. When Automatically refresh vulnerable items is checked, vulnerable items are added to the group as they are created or updated, and matched to the vulnerability group criteria When the Related Links, Refresh associated vulnerable items is clicked from the Vulnerability Group page, vulnerable items are inspected to see if there are any additional vulnerable items that belong to this group. This inspection is done regardless of the status of the Automatically refresh vulnerable items check box. When it is determined that a new vulnerable item can be added to a group, the following occurs: The vulnerability item is included in the Associated Vulnerable Items list of the vulnerability group. Conversely, the vulnerability group appears in the Associated Vulnerability Group list of Vulnerable items. If the Vulnerability Group is marked as Closed or Ignored, with a non-fixed substate (such as False Positive, Risk Accepted, or Irrelevant), vulnerable items that are added to the group have their state updated to match the vulnerability group. If Vulnerability Group is marked as Closed or Fixed, if the vulnerable item added is not itself Closed or Fixed, the vulnerable item state does not change, and the vulnerability group state is changed to Open. Create a vulnerability group Vulnerability groups are used to group vulnerable items based on vulnerability, vulnerable item conditions, or filter group. Role required: sn_vul.vulnerability_write If the system property (sn_vul.autocreate_vul_centric_group) is set to true, each vulnerability entry with a vulnerable item creates a group associated with it. If it is set to false, groups are created manually Navigate to Vulnerability > Vulnerabilities > Vulnerability Groups. Click New. 159

160 3. Fill in the fields on the form, as appropriate. Field Number The automatically generated vulnerable item number for this record. Priority Select the priority for the group. The priority determines the sequence in which the vulnerability is addressed based on its impact and urgency. 160

161 Field Change approval Automatically displays the change approval currently used for this vulnerability group. State This field defaults to New, but you can change it to Analysis if the group is ready for immediate remediation. Substate This field provides additional details when a vulnerability is marked as Closed or Ignored. For example, if the vulnerability was fixed, or, if it is a non-fixed closure such as False Positive, Risk Accepted, or Irrelevant. Assignment group Select the group to work this vulnerability group. Assigned to Select the individual from the selected assignment group that works this vulnerability. Short description Brief description of this vulnerability group. A description of this vulnerability group. Group Configuration - Associates filters, CI groups, vulnerabilities with this group. Filter type Vulnerability Select the type of filtering you want to use to select vulnerabilities for the group: Vulnerability Chosen by default. Simplest form that creates groups by Vulnerability. Choose a vulnerability. Condition Define your own criteria for grouping (For example, Priority=High and Asset class = Server). For more information see, Condition builder Filter group Reusable across multiple features. For more information see, Create and define filter groups in on page 404. Add a vulnerability entry. Any vulnerable item that contains this vulnerability is included in this group. This field displays only if you selected Vulnerability from the Filter type choice list. Vulnerable item table Displays the Vulnerable Item [sn_vul_vulnerable_item] table. Vulnerable item condition Define conditions that must be true for a vulnerable item to be included in this group. This field displays only if you selected Condition from the Filter type choice list. 161

162 Field Filter group Select or create a filter group to match vulnerable items to this filter group. This field displays only if you selected Filter group from the Filter type choice list. Automatically refresh vulnerable items When checked, vulnerable items are automatically evaluated against this vulnerability group when vulnerable items are added or updated. Notes Additional comments (Customer visible) Customer visible comments about the group. Work notes Work notes for this group. Updates are recorded here. If a work note is added to a vulnerability group, a work note is added to the associated vulnerable items of that group. If a work note is added to a vulnerable item, a work note is added to the associated vulnerability groups of that item. Note: After a vulnerability is added to the group, the Vulnerability Details tab appears. 4. Click Submit. When the group is created, the Associated Vulnerable Item related list displays all matching vulnerable items. 162

163 An Associated Vulnerable Group entry also appears in the related list of a vulnerable item. 163

164 Vulnerabilities in the software of configuration items With Vulnerability Response, compare vulnerability-related data pulled from internal and external sources to vulnerable resources and software identified in the Software Asset module. If a vulnerability is found in an asset, escalate it by creating change requests, problem records, and security incident records (if Security Incident Response is activated). Manage vulnerable items individually, grouped by the vulnerability or grouped by CI. Each vulnerability is represented by a vulnerability entry in the library, from the NVD, or a third-party source. Use Common Weakness Enumeration (CWE) records downloaded from the CWE database for reference when deciding whether a vulnerability must be escalated. Each CWE record also includes an associated knowledge article that describes the weakness. You cannot escalate a vulnerability from the Common Weakness Enumerations page. This page is for reference only. Identify vulnerable items When CVE-ID records are downloaded from the NIST NVD, they are compared to the software in your company network as identified by the Software Asset discovery model. When a CVE-ID matches vulnerable software or CIs in your network, a vulnerable item is created. You use the information in the CVE-ID record to decide whether to escalate the vulnerable item for remediation. Role required: sn_vul.vulnerability_write 1. Navigate to Vulnerability > Libraries > NVD. 164

165 2. A list of Common Vulnerability and Exposures (CVE)-IDs that were downloaded from the NVD is shown. Updates from the NVD can be performed on-demand or using a scheduled job. Click a CVE record to view the following information: 3. a summary for the CVE-ID. a reference to a Common Weakness Enumeration (CWE) entry, if applicable. the vulnerability score of the CVE-ID on the Common Vulnerability Scoring System (CVSS). For more information on the CVSS, see the National Vulnerability Database website. Click the following related lists to get more information for identifying vulnerabilities. Related list Vulnerable Items Lists any vulnerable items. These items are records created by the matching of vulnerable entries downloaded from the NIST NVD and vulnerable software or CIs in your network. For more information about a vulnerable item, click the information icon ( ). Note: If software in your network is reported as being removed or patched to remediate a vulnerability, any associated vulnerable items are closed and removed from the Vulnerable Items related list. Vulnerable Software Lists the vulnerable software returned from the NVD. You can use this information to match the NVD software to your Software Asset Management discovery model. For more information, see Identify and escalate security issues in vulnerable software on page 165. Vulnerability References Lists vulnerability reference information for the selected CVE record. If vulnerabilities were identified and vulnerable items were created, you can remediate them, as needed. Identify and escalate security issues in vulnerable software With Vulnerability Response, view software vulnerabilities returned from NIST National Vulnerability Database (NVD) entries. Then use this information to match the software entries to a Software Asset Management discovery model. Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Libraries > Vulnerable Software. A list of vulnerable software downloaded from the NVD is shown. Click a software record to view vulnerability information. Click the following related lists to get more information for identifying vulnerabilities. 165

166 Related list Vulnerable Items Lists any vulnerable items, which consist of pairings of potentially vulnerable CIs and software. To get more information about a pairing, click the information icon ( ). Note: If software is removed, any associated vulnerable items are closed and removed from the Vulnerable Items related list. Vulnerability Entries Lists vulnerability entries for the selected software record. Click a record to view its details. Use discovery models to match software with vulnerabilities A discovery model is a software model associated with a customer software installation. If your instance uses Software Asset Management or Discovery to search for vulnerable software, you can use discovery models in Vulnerability Response to match software with vulnerable items. Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Libraries > Vulnerable Software. A list of vulnerable software downloaded from the NVD is shown. Click a vulnerable software record to open it. Click the Match discovery model related link. A Possible Software Discovery Model pop-up window displays a possible match for the software. 166

167 If the suggestion is correct, click the software name. If suggestion is not correct, close the pop-up window, click the magnifying glass list icon on the Software discovery match field, and select a discovery model. Click Confirm Model Auto-Match to confirm that the correct discovery model has been selected. Click Update to save the record. 167

168 Note: You can also select discovery models for multiple records from the Vulnerable Software list. Select the check boxes for the records you want to match to a discovery model. Then select Match discovery model from the Actions on selected rows choice list. If you match discovery models from the list, review each of the matched discovery models to ensure that they are correct. To confirm that the discovery models are correct, open the record where the model was matched. Then click the Confirm Model Auto-Match link at the bottom of the form. As each record is confirmed, the Auto-Matched Discovery Model and Auto-Match Confirmed check boxes are selected. The Vulnerable Items related list displays the vulnerable items discovered for this software. Remediate vulnerabilities The flexibility inherent to Vulnerability Response allows you to remediate vulnerabilities in whatever way suits your security organization. You can work with vulnerable items directly or from vulnerability records. Role required: sn_vul.vulnerability_write 1. To view a list of all vulnerabilities, navigate to Vulnerability > Vulnerabilities > All Vulnerabilities. Note: You can also navigate directly to vulnerable items via Vulnerability > Vulnerabilities > All Vulnerable Items. 2. Click a vulnerability record (VUL) that is in the New state. The New state indicates that the record has not yet been worked on. The form displays: a reference to a Common Weakness Enumeration (CWE) entry, if applicable. summary information for the vulnerability. the vulnerability score of the vulnerability using Common Vulnerability Scoring System (CVSS). For more information on the CVSS, see the National Vulnerability Database website. To view vulnerable item records (VIT) contained in this vulnerability, scroll down to the Vulnerable Items related list. When you are ready to start working on the record, change the State field to Analysis. Perform whatever tests or analysis you want on the vulnerabilities. To escalate the vulnerability to another team or to view and add information on impacted business services to a vulnerable item, you have the following options. Option Step If the vulnerable item poses a risk to your IT environment, you create a CHG record and escalate the issue to Change Management team. Click Create Change. If the vulnerable item causes an error in the IT infrastructure, you can create a PRB record and escalate the issue to the Problem Management team. Click Create Problem. 168

169 Option Step If the vulnerable item poses a potential security risk to your organization, create a security incident record and escalate the issue to the Security Incident Response on page 5 team. Click Create Security Incident. If you are working on a vulnerable item, you can view and add business services impacted by the vulnerable item. On the Vulnerable Item form, click the Impacted Services related list. If an affected CI associated with the vulnerable item is added or updated, information in this related list is automatically updated when the record is saved. This button is displayed when Security Incident Response is activated. Note: You can also right-click in the form header and select Refresh Impacted Services After you create a change request, problem record, or security incident, the appropriate record appears in the Tasks related list on the Vulnerable Item form. You can view SLAs associated with the vulnerability in the Task SLAs related list. If you determine that the issue is a low priority and can either be deferred or immediately closed without further analysis, click Close Item. For instructions, see Close or ignore a vulnerability on page 169. If you have set up a third-party integration and a scheduled job that automatically updates and scans records at a set interval, the vulnerabilities are scanned at the next scheduled date and time. Alternatively, you can manually initiate a vulnerability scan. If the scan again returns the vulnerability, the VUL record returns to the Analysis state. If the vulnerability is not found, the VIT transitions to the Closed state. Close or ignore a vulnerability If you determine that a vulnerability is a low priority and can either be deferred or immediately closed without further analysis, close or ignore the vulnerability. The sn_vul.vulnerable_item.approval_required property determines whether an approval request is sent to members of the Vulnerability Response group for approval when a vulnerability is closed or ignored. If you do not want to require approval, deactivate this property. Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Vulnerabilities and open the vulnerability (VUL) record you want to close or ignore. Click Close/Ignore. Fill in the fields on the form, as appropriate. Field Desired State Select Ignored or Closed. Until If you selected Ignored as the desired state, select the date and time when the Ignored state expires, and the vulnerability and all vulnerable items are reactivated. Substate Select the reason that best applies for ignoring or closing the issue. 169

170 Field Close now? If you selected Closed as the desired state, and Fixed as the substate, select one of the following options: Reason 4. Wait for confirmation from next scan to set the vulnerability and the items to a closed, pending confirmation state. Close vulnerabilities now, reopen if found to set the vulnerability and its vulnerable items to a closed fixed state. It reopens if a later scan again finds any of the vulnerable items. Provide more reasons for ignoring or closing the issue. Click Submit. Depending on how the sn_vul.vulnerable_item.approval_required system property was set and the action taken, the following results occur. Property setting Result Active The State of the vulnerability changes to In Review. An notification is sent to the members of the Vulnerability Response group for approval. When a member of the group approves the request: When a member of the group rejects the request: Inactive The State changes to Ignored or Closed, as requested. The Substate changes to the requested value and is read only. The fields in the Ignore/Close section are filled and set to read-only. The Notes section indicates the change. The State changes to Analysis, as requested. The Desired fields are reset. The Notes section indicates the rejection. The State of the vulnerability and all its vulnerable items change to Ignored or Closed as requested. The fields in the Ignore/Close section are filled and set to readonly. The Notes related list indicates the change. Note: If the state of a vulnerability is changed to Ignored, and CIs that are vulnerable are subsequently added to that vulnerability, notifications will still be generated. This prevents systems with vulnerabilities from not being identified. NVD common weakness enumeration You can use Common Weakness Enumeration (CWE) records downloaded from the CWE database for reference when deciding whether a vulnerability must be escalated. 170

171 Each CWE record also includes an associated knowledge article that describes the weakness. You cannot escalate a vulnerability from the Common Weakness Enumerations page. This page is for reference only. NVD and CWE updates You can update NVD records on-demand or configure a scheduled job to update them regularly. For CWE records, you can configure a schedule job to update them. Update NVD on-demand You can update NVD repositories selectively. Role required: sn_vul.vulnerability_read Navigate to Vulnerability > Administration > On-Demand Update. Select the check boxes for the repositories you want to update. Click Import. The Total entries, Last refreshed date, and Last import fields are updated. You can also configure a scheduled job to schedule updates. For example, the scheduled job could update the NVD records every Monday at 01:00 Configure the scheduled job for updating NVD records Identify the repositories that you want updated regularly, and then execute a scheduled job to update NVD records on a nightly or weekly basis. You can also update the script or write your own scripts, as needed. If the NVD data feed you want to use for the scheduled job is not present, you can add it. Roles required: If you have the admin role, you can add repositories to the scheduled job. If you have sn_vul.vulnerability_read, you can execute the scheduled job. If you have sn_vul.vulnerability_write, you can edit the details of the scheduled job. Navigate to Vulnerability > Administration > NVD Auto-Update. For each NVD repository that you want to update automatically, change the Automatically update field to true. Navigate to Vulnerability > Administration > Integrations. Select the NIST National Vulnerability Database scheduled job. Modify the fields as needed. Table 52: Vulnerability Integration form Field Name The name of the scheduled job. Active Whether the scheduled job is active. If you have previously set up this job and then decided to use a different integration, you can uncheck this box to deactivate the job. 171

172 Field Run The frequency you want the job to run. Subsequent fields are displayed or hidden based on your setting in this field. Day The day you want the scheduled job to run. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the scheduled job to start. Integration script The script for pulling data from the data sources in the Data Sources related list. Application [Read only] The name of the application for which you are running the scheduled job. Repeat Interval The number of days and hours before the scheduled job runs again. This field appears when Periodically is selected from the Run list. Starting The date and time to start the periodic updates. This field appears when Periodically is selected from the Run list. Conditional The check box to add conditional parameters. Condition The conditions to run the scheduled job. This field appears when the Conditional check box is selected. Report processor strategy The strategy for pulling data and processing the scheduled job. Report processor If you have identified data sources and added them to the Data Sources related list, you can select Data Source Attachment to pull data from the data sources using the script in the Integration script field. To select a custom processor in the Report Processor field, select Custom Report Processor. The script to execute when the scheduled job runs. This field appears when Custom Report Processor is selected in the Report processor strategy list. 172

173 6. 7. Field Processor factory script The script to build the report processor. This field appears when Custom Report Processor is selected in the Report processor strategy list. To save your changes, click Update. To run the scheduled job immediately, click Execute Now. Note: When the scheduled job runs and new records are downloaded to the NVD, an notification is sent to the members of the vulnerability response group. Configure the scheduled job for updating CWE records Common weakness records can be updated from the Common Weakness Enumeration database on a regularly scheduled basis. You can also update the script or write your own scripts, as needed. Roles required: If you have the admin role, you can add repositories to the scheduled job. If you have sn_vul.vulnerability_read, you can execute the scheduled job. If you have sn_vul.vulnerability_write, you can edit the details of the scheduled job. Navigate to Vulnerability > Administration > Integrations. Select the CWE Comprehensive 2000 Integration scheduled job. Modify the fields as needed. Table 53: Vulnerability Integration form Field Name The name of the scheduled job. Active Whether the scheduled job is currently active. If you do not want the job to run for a specific time period, you can set up the parameters you want to use and deactivate the job. Run The frequency you want the job to run. Subsequent fields are displayed or hidden based on your setting in this field. Day The day you want the scheduled job to run. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the scheduled job to start. 173

174 Field Integration script The script for pulling data from the data sources specified in the Data Sources related list. Application [Read only] The name of the application for which you are running the scheduled job. Repeat Interval The number of days and hours before the scheduled job runs again. This field appears when Periodically is selected in the Run list. Starting The date and time to start the periodic updates. This field appears when Periodically is selected in the Run list. Conditional The check box to add conditional parameters. Condition The conditions to run the schedule job. This field appears when Conditional check box is selected. Report processor strategy The strategy for pulling data and processing the scheduled job To pull data from the data sources in the Data Sources related list using the script in the Integration script field, select Data Source Attachment. To select a custom processor in the Report Processor script field, select the Custom Report Processor. Report processor The script to be executed when the scheduled job runs. This field appears when Custom Report Processor is selected in the Report processor strategy list. Processor factory script The script to build the report processor. This field appears when Custom Report Processor is selected in the Report processor strategy list. To save your changes, click Update. To run the scheduled job immediately, click Execute Now. As needed, you can View the vulnerability scan queue on page 191 to see the progress of the data import. Configure notifications for NVD auto-updates You can configure notifications to be sent to interested parties, such as the vulnerability response group, when CVE records are updated. You can use the pre-configured notification included with the base system or modify it to better suit your needs. 174

175 If you want, you can create an template with rich HTML formatting. This is optional, but it can make the creation of future notifications easier. Role required: admin Navigate to Vulnerability > Administration > Notifications. Open the New CVEs available notification record. The notification is pre-configured to automatically send notifications to the Vulnerability Response group whenever new CVE items are downloaded to the NVD. The message text is populated using the new.cves.available template. Modify the fields as needed. Add new NVD data feeds If NVD releases a new annual, modified, or recent feed you can add it, as needed, to your instance. Role required: sn_vul.vulnerability_admin Navigate to Vulnerability > Administration > NVD Auto-Update. Click New. Fill in the fields, as needed. Table 54: NVD Data Feeds form 4. Field Display name Enter the name for the data feed. Total entries This field is auto-filled with the total number of entries imported when this NVD data feed is updated. Last refreshed This field is auto-filled with the date of the last import when this NVD data feed is updated. State This field is auto-filled when this NVD data feed is updated. Percent complete This field is auto-filled with the percentage of when this NVD data feed is updated. Automatically update Select this check box to enable automatic updates of this data feed based on the scheduled job. URL Enter the URL for the data feed. For example: nvdcve xml.zip. Click Submit. SAM NVD vulnerability detection Software Asset Management (SAM), working with discovery tools, creates records listing installed software within your network. The National Vulnerability Database (NVD) information indicates which versions of 175

176 software have known vulnerabilities. SAM NVD vulnerability detection combines this information to track Vulnerabilities within your system. Start with a limited subset of vital configuration items and high priority vulnerabilities. Use the filters to select only those CIs or vulnerabilities you want to monitor for vulnerabilities. Otherwise, every CI and vulnerability in your system is included in the scan. The following business rules have been created or updated with the new settings. Table 55: Business rules changes and additions Business rule Insert vulnerable item Updated to run only when SAM NVD vulnerability detection is enabled and adheres to any CI and Vulnerability filters. [cmdb_sam_sw_install] Determine vulnerable items [sn_vul_software] Store values to system properties [sn_vul_sam_config] SAM+NVD settings update [sn_vul_sam_config] Updated to run only when SAM NVD is enabled and adheres to any CI and Vulnerability filters. Saves configuration from the Configure SAM NVD module to System Properties. Rechecks for vulnerable items when Configure SAM NVD settings are updated. Enable or disable SAM NVD vulnerability detection When SAM NVD vulnerability detection is enabled, existing software assets are compared to the NVD database. Vulnerable Items are created to track any vulnerabilities found in your system. Use the filters to limit the vulnerabilities and configuration items to scan. Vulnerable items are rechecked whenever these settings are updated. Role required: sn_vul.admin 1. Navigate to Vulnerability > Administration > Configure SAM NVD. Note: Detect vulnerabilities using SAM data is checked (on) by default for an upgrade where Vulnerability Response plugin is installed. In new installations, the default is unchecked and automatic detection is off Check or uncheck Detect vulnerabilities using SAM data as appropriate. Create CI or Vulnerability Filters. Note: Filters are needed after a new installation, when Detect vulnerabilities using SAM data is checked, unless you want every CI and vulnerability in your system included in the scan. Changing filters does not impact existing vulnerable items. A rescan only creates vulnerable items based on changes to the filters. 176

177 4. Click Save and Create Vulnerable Items. Vulnerability integrations Vulnerability integrations provide the ability for customers and vendors to enrich the vulnerability data on their instance by retrieving data from external systems and vendors. This ability can simplify the vulnerability remediation life cycle by keeping the instance synchronized with other vulnerability management systems. Define a new vulnerability integration A vulnerability integration is a process that pulls report data from a third-party system, generally to retrieve vulnerability data, and process that reporting data using data sources or a custom processor. Role required: sn_vul.vulnerability_admin Navigate to Vulnerability > Administration > Integrations. Click New. Fill in the fields, as needed. 177

178 Table 56: Vulnerability integration Field Name A descriptive name for the integration. Active Whether the integration is currently active. If you do not want it to run for a specific time period, you can set up the parameters you want to use and deactivate the job. Run The frequency you want the integration to run, Daily, Weekly, Periodically, and so on. As noted, subsequent fields are displayed or not based on your setting in this field. Day The day you want the integration to run. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the integration to start. This field appears only if you selected Daily, Weekly, or Monthly in the Run field. Application [Read only] The name of the application for which this integration was created. Repeat Interval If you selected Periodically in the Run field, this field displays the number of days and hours before the integration runs again. Starting If you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates. Conditional Select this feld if you want to add conditional parameters. Condition If you selected the Conditional check box, enter the conditions here. Integration Details Integration script Select the script include that extends the VulnerabilityIntegrationBase to be executed when the integration runs. This script defines how to retrieve data from a thirdparty system. Integration factory script Enter a script that defines how to construct the script include selected for the Integration script. 178

179 Field Report processor strategy Select the strategy you want to use to handle the data returned by the integration script when the integration runs. Report processor Select Data Source Attachment if you want to process data using a data source. Select Custom Report Processor to select a custom processor. If you selected Custom Report Processor in the Report processor strategy field, select the script include that extends the VulnerabilityReportProcessorBase script include to be executed when the integration runs. This script defines how to process the data returned by the integration script. Processor factory script 4. Enter a script that defines how to construct the script include selected for the Report processor. Click Submit. Vulnerability integration script On the Vulnerability Integration form, the integration script is a reference to a script include that extends the VulnerabilityIntegrationBase script include. The functionality contained in this script is called by the VulnerabilityIntegrationController to manage the means by which data is retrieved from an external data source. Each subclass of VulnerabilityIntegrationBase has access to contextual information about the calling process. That information is available through the following member variables: integrationgr - a GlideRecord of the vulnerability integration record that requested the integration to run. integrationprocessgr - a GlideRecord that provides contextual information for the current process of an integration. The vulnerability process contains special parameters to be used within an integration, generally for pagination purposes. Each run of a vulnerability integration (called a Vulnerability Integration Run) has at least one associated vulnerability integration process. For multi-call integrations, there are one or more vulnerability integration process records for each Vulnerability Integration Run. The script include must provide an implementation for the retrievedata() method and return an object that is processed by the report processor script. The object returned by retrievedata is a simple object with properties for content, contenttype, and extension. Here is a screen shot of VulnerabilityIntegrationBase.retrieveData(): 179

180 Figure 1: VulnerabilityIntegrationBase.retrieveData() The logic in the retrievedata() depends on the interface required for retrieving the data. For example, if the source of the data being pulled has a REST API, the body of this method could be calling the REST endpoint, likely via RESTMessageV2. The response of the call can then be parsed or put into an attachment, and the details could be used to construct the return object. Single call integrations Single call (single page) integration scripts are the simplest types of integrations. They require one call, often to an external source of data, to retrieve data. Only retrievedata() is required to be implemented for single page/single call integrations. A sample that demonstrates a simple single call integration script follows. It creates a RESTMessageV2 and executes it. It then returns an object using the response body as the contents, along with an assumed contenttype and extension. Figure 2: Single call integration script Multiple call integrations Multiple call (or multiple page) integration scripts are a bit more complicated. They require multiple calls to a data source to retrieve data. Like a single call integration, a multiple call integration must also have retrievedata() implemented. In the body of retrievedata(), the integration uses the hasmoredata() and setnextrunparameters() methods provided by VulnerabilityIntegrationBase. 180

181 The hasmoredata() method accepts a single Boolean that instructs the VulnerabilityIntegrationController to insert more processes to pull more data. When passing true to hasmoredata(), a call to setnextrunparameters() is made to provide context to the next process. The setnextrunparameters() method accepts a single object that provides context information to be used by the next call to retrievedata(). This object is used to pass state to subsequent calls to retrievedata(). An example use case is to pass an object that indicates the current page number and page size to a web service. For multiple call integrations, each retrievedata() call first checks the current process parameters. The _getprocessparameters() method is provided to all VulnerabilityIntegrationBase as a convenience to get the parameters set by the previous process. If there are no parameters, it would indicate that it is the first process. A screen shot of a sample multiple call integration script follows. Extending on the single call integration example, this script demonstrates making calls to a REST endpoint that has basic pagination support. It shows how you can get a single page of data, recognize that there is more data to retrieve, and then tell the next process which page to retrieve. Figure 3: Multiple call integration script Attachments as retrievedata() return values Sometimes, it is preferable be return an attachment from retrievedata(). The logic to create and/or retrieve an attachment is implementation-specific, but after the attachment is known, its information can be returned. To provide an attachment, retrievedata() returns an object like: { 181

182 } contents: "attachment-sys-id", contenttype: "sys_attachment" An example that extends on the previous example, but saves the response body of the REST Message to the integration process record follows. It then returns that attachment identifier as the contents of the return object. Figure 4: Return attachment from retrievedata Report processor strategies The Report processor strategy field on the Vulnerability Integration form is used to select the method to process the data returned by the vulnerability integration script when the vulnerability integration process is executed. The default value is Data Source Attachment. This method is the baseline implementation that takes the retrieved data and pass it to a data source to be imported into the system. Selecting Custom Report Processor allows you to select a custom processor script for processing the data. Use the data source attachment report processor strategy The Data Source Attachment report processor strategy is used to pass data retrieved by the integration script to configured data sources. Role required: sn_vul.vulnerability_write 1. Navigate to Vulnerability > Administration > Integrations and create a new integration. 182

183 In the Report processor strategy field, select Data Source Attachment. Right-click in the form header, and click Save. In the Vulnerability Integration Data Sources related list, click New. Define the data source to be used. Click Submit. Repeat steps 4 through 6 if you require additional data sources. Be sure to specify the order that the multiple data sources send information in the Order field. Click Update. About custom report processor scripts On the Vulnerability Integration form, the Report processor is a reference to a script include that extends the VulnerabilityReportProcessorBase script include. The functionality contained in this script is called by the VulnerabilityIntegrationController and defines the means by which the data returned by the integration script are processed. Each subclass of VulnerabilityReportProcessorBase has access to contextual information about the calling process. That information is available through the following member variables: integrationgr - a GlideRecord of the Vulnerability Integration record that requested the integration to run. integrationprocessgr - GlideRecord of the Vulnerability Process that provides contextual information for the current process of an integration. The script include must provide an implementation for the processreport() method. The object passed to processreport() is the object that was returned by retrievedata, and as such, is a simple object with properties for content, contenttype, and extension. The actual logic in processreport() is implementationspecific and dependent of the report data provided. Here is a screen shot of the VulnerabilityReportProcessorBase.processReport(): Figure 5: Custom report processor script Integration factory script fields The Vulnerability Integration form contains the integration factory script and, when the Custom Report Processor report processor strategy is selected, the Processor factory script. These fields are used to provide the logic to actually instantiate the object defined by the script include reference fields, Integration script, and Report processor, respectively. 183

184 When the script include is selected both fields are pre-populated with a no-argument constructor call. Often, this is sufficient, but there can be occasions where more logic is required to instantiate the script object. The integrationprocessgr record is exposed to the factory script fields so process-specific information can be used, as needed. Pushing data to a vulnerability integration using a REST API You can use a REST endpoint to push data to a vulnerability integration. The REST resource at /api/sn_vul/vulnerability_integration_svc has been exposed to accept input data from an external system to be passed to a vulnerability integration. This resource requires the same authentication mechanism for other inbound REST messages. Only users with the sn_vul.vulnerability_admin role can issue requests to /api/sn_vul/vulnerability_integration_svc. The query parameters accepted by this resource are integrationname and attachmentfilename. The integrationname parameter is set to the name of the vulnerability integration. The attachmentfilename parameter is set to a string to be used as the file. An attachment is generated with the request body being used as the attachment contents. The Contenttype header that is sent with the request is used to determine the content type of the request body. The attachmentfilename parameter names the attachment internally. When the attachment is generated, a new vulnerability integration run is created based on the integrationname provided. The details of the REST call to make to the vulnerability integration endpoint are: HTTP Method: POST HTTP Query Params: attachmentfilename={name of file to be created as attachment} integrationname={name of the integration to use} Supported Content Types: application/json, application/xml, text/xml, text/plain Configure a vulnerability integration to use a scripted REST API To allow data to be pushed from an external system, a scripted REST API provided in the base system accepts a request and puts the request body into an attachment for a report processor to process that data. Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Administration > Integrations and create a new integration. In the Integration script field, select ScriptedRESTVulnerabilityIntegration. Select the appropriate Report processor strategy and, if you are using a custom report processor, the Report processor. Note: The ScriptedRESTVulnerabilityIntegration works by taking an attachment and passing it to the report processor. For proper functionality, the selected Report processor (if custom) must be able to support an attachment. 4. Click Submit. Manually running a vulnerability integration A vulnerability integration is configured to run on a scheduled basis. However, you can run them manually when needed. 184

185 Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Administration > Integrations. Open the integration you want to run. Click Execute Now. Vulnerability scanners and scans Vulnerability scans can be performed to find software vulnerabilities that affect your CIs. You can initiate scans from a vulnerable item record or by creating a scan record directly for CIs and IP addresses. If you scan vulnerable items directly from the Vulnerable Items screen, you also have the option of scanning multiple vulnerable items at the same time. If Security Incident Response is activated, you can also initiate a scan from the security incident catalog, a security incident record, or a security scan request. Scans submitted from vulnerable items, the Security Incident Catalog, security incidents, or security scan requests are performed by the default scanner. For scans submitted directly from a scan record, you can select the scanner to use. Add a third-party vulnerability scanner You can integrate Vulnerability Response with third-party vulnerability scanners to scan and identify potential vulnerabilities. Before you add a third-party scanning service, obtain a license or account to use that service. Often, an API key or API credentials must be obtained to facilitate the integration. You must also define a scanner implementation script include. Role required: sn_vul.vulnerability_admin A vulnerability scanner lets you launch a vulnerability scan with a third-party vulnerability vendor. You can modify and extend the baseline Qualys scanner that is provided in the baseline system, or you can create a scanner. All scanners must extend VulnerabilityScannerBase Navigate to Vulnerability > Vulnerability Scanning > Scanners. Click New. Fill in the fields, as needed. Table 57: Vulnerability Scanner form Field Name Enter a name for the vulnerability scanner. Active Select this check box to activate this vulnerability scanner. Application The application that owns this scanner. Default To make this scanner the default vulnerability scanner, select this check box. Note: Set at least default scanner, or related links for initiating scans in Security Incident Response (if activated) and on the Vulnerable Item form are not available. 185

186 4. Field Scanner factory script Enter a script to construct the scanner implementation that is defined by a script include. The script include must extend VulnerabilityScannerBase, and provide the mechanism that makes scan requests. The last line of the script must be the constructed integration implementation. Click Submit. Define a scanner implementation script include When defining a scanner to be used by Vulnerability Response, you are asked to add a script include to identify the actual scanning behavior. Role required: script_include_admin Navigate to System Definition > Script Includes. Click New. Provide a scanner name and define its accessibility in the Accessible from field. Select All application scopes if the scanner can be accessed from any application scope. Otherwise, select This application scope only. So if the scanner is defined out of the Vulnerability scope, select All application scopes. Populate the Script box with the baseline class structure and modify it to extend sn_vul.vulnerabilityscannerbase. Add an implementation method for launchscan to define the scanning behavior. Define where the request is made with a third-party scanner system and where the state of the scan record is updated. The signature for this method is launchscan: function(scangr). Note: The VulnerabilityScannerBase script include contains functions, such as convenience functions for setting the error state and message on the Scan record, and for determining and normalizing IPs from the scan record CIs. 6. Click Submit. Vulnerability scan rate limits You can define the rate that different types of scans are performed to limit the number of requests that are sent to an external scanner. After you have defined rate limits, you can apply them to different scanners. Define scan rate limits You can define the rate that different types of scans are performed to balance the load in your scan queue. Conditions defined in the rate limit determine whether the rate limits are applied to queued entries. Role required: sn_vul.admin Navigate to Vulnerability > Vulnerability Scanning > Rate Limit Definitions. Click New. Fill in the fields on the form, as appropriate. Table 58: Rate limit definition Field Name Provide a descriptive name that identifies the conditions the queue entry must meet. For example, scans per minute 186

187 4. Field Queue conditions Enter conditions used to determine whether a queued scan entry is subject to this rate limit. The conditions should not be specific to a particular scanner. Evaluation script Write a script with the logic to evaluate the queued entry. It is important that the script return true/false to define whether the entry is processed. Also, base the evaluation script on the queued entry being evaluated. Click Submit. Apply scan rate limits to scanners After you have defined scan rate limits using Rate Limit Definitions, you can apply rate limits to specific scanners. Role required: sn.vul_admin Navigate to Vulnerability > Vulnerability Scanning > Scanner Rate Limits. Click New. Fill in the fields on the form, as appropriate. Table 59: Scanner rate limit 4. Field Scanner Select the scanner to which you want to apply a rate limit. Rate limit Select the rate limit you want to apply to this scanner. Threshold Enter the threshold that you want to subject the selected scanner to for the selected rate limit. For example, if the scanner allows 4 scans per minute, and the rate limit is defined as requests per minute, the threshold would be 4. Click Submit. Scan CIs and IP addresses If you suspect that your CIs or IP addresses contain vulnerable software, you can create a request to scan them. Also, if you question whether a vulnerability has been resolved, you can create a request to have a CI or IP addresses rescanned. Role required: sn_vul.vulnerability_read Navigate to Vulnerability > Vulnerability Scanning > Scans. The Scans list shows all scans, including submitted and pending scans. Click New. Fill in the fields on the form, as appropriate. Table 60: Scans Field Number The auto-generated record number for this request. 187

188 Field Scanner Select the third-party scanner to be used for this scan. The default scanner is initially displayed. IP Addresses Enter the IP addresses to be scanned, separated by commas. You can also enter a range of IP addresses (for example or ). Time requested The date and time the request was created. Requested by The name of the requester. State The current state of the request. The default state upon scan creation is Draft. Reference External reference information for the third-party scan request. This information is scanner-specific but is generally an external scan identifier. Status message A status message generated by the third-party scanner. Integration run The integration run record used to invoke and integration to retrieve additional scan data. Results import set The import set of the transformed scan results, if applicable. Raw response Additional information returned by the remote scanner. Qualys Scan Details Parent scan The parent scan that was used to distribute IP addresses and/or CIs to the appropriate scanner appliances. Scanner appliance The Qualys scanner appliance to use to scan the associated IP addresses and/or CIs. If the appliance record was manually created, and this field is empty, the appliance to be used is determined automatically. Use default appliance Select to indicate that the default appliance should be used if a scanner appliance was not specified. Note: The Child scans related list is populated by Qualys if any child scans were spawned. 4. Right-click in the form header and select Save. The following related lists and an Initiate Scan button appear. 5. Configuration Item: If you want to scan configuration items along with the IP addresses (if any), click Edit in the Configuration Item related list, select the CIs you want scanned, and click Save. Source: If this scan originates from another task, such as a security scan request or a vulnerable item, this related list references that task. For new records created using the Vulnerability Scan form, this related list is empty. Vulnerability: Lists the vulnerabilities to be scanned. Click Initiate Scan. The IP addresses and/or CIs are scanned by the Qualys scanner and the raw results of the scan are attached to the vulnerability or vulnerable item record. If vulnerable items are still found, the State of the record transitions to Reopened, Also, a work note is added to the record to indicate that the vulnerable items were not fixed. The work note includes a link to the scan results where the vulnerability was found, along with the scanner name and the date and time of the scan. 188

189 Scan a new or existing vulnerable item You can scan a new or existing vulnerable item that contains at least one affected CI or has an IP address populated on the form. The vulnerable item that you want to scan must contain an affected CI or IP address. Role required: sn_vul.vulnerability_write Navigate to Vulnerability > Vulnerabilities > Vulnerable Items. Create a new vulnerable item or open an existing one. 3. Click the Scan for Vulnerabilities related link. A message appears with a link to the scan and the work notes are updated. Click the link to see the progress or results of the scan. 4. Note: It is a good practice is to rescan vulnerabilities or vulnerable items after they have been remediated and a vulnerability patch has been applied to the affected records. The rescan can be performed using the procedure above, but you can also automate the rescans. To view the progress of your scan, navigate to Vulnerability > Scanning > Scans. Scan multiple vulnerabilities or vulnerable items You can simultaneously scan multiple vulnerabilities or vulnerable items that contain at least one affected CI or an IP address populated on the form. Role required: sn_vul.vulnerability_write 1. Do one of the following: Navigate to Vulnerability > Vulnerabilities > Vulnerability Groups. Navigate to Vulnerability > Vulnerabilities > All Vulnerable Items. Select the check boxes for the records you want to scan. Click the Actions on selected rows list, and click Scan for Vulnerabilities. A message appears with a link to the scan and the work notes are updated. Click the link to see the progress or results of the scan. The Scan screen includes a Source related list that shows the individual vulnerabilities or vulnerable items scanned. 189

190 190

191 Automated scan verification You can rescan vulnerabilities or vulnerable items after they have been remediated and a vulnerability patch has been applied to the affected records. provides two workflow triggers to automate rescanning of vulnerability groups and vulnerable items. Rescan vulnerable group This trigger calls the Vulnerability Response - Scan Vulnerability workflow on page 191. Rescan vulnerable item This trigger calls the Vulnerability Response - Scan Vulnerable Items workflow on page 194. View the vulnerability scan queue Vulnerability scan requests submitted to a third-party vulnerability scanning integration are queued so as not to overload system resources. You can view the status of queued requests, as needed. Role required: sn_vul.admin In the list of queued scans, each scan includes an automatically generated scan name that identifies the CI that was scanned. 1. Navigate to Vulnerability > Vulnerability Scanning > Scan Queue. All scan requests that have been submitted are shown in a list. The State column shows the current state of each queued entry. A state of Complete indicates that the scan has left the queue. It does not necessarily indicate that the scan has completed processing. When the scans have been completed or if they failed, the Processing column shows the appropriate work notes text. Note: If a hash value was submitted for scanning and the scanner fails to find a result, the State shows Complete and the work note in the Processing column indicates Unknown. 2. After a scan has finished processing, click a queued record to view details for the scan request. Vulnerability Response Orchestration With Vulnerability Response Orchestration workflows and activities you can interact with and retrieve data from Windows or UNIX-based systems and environments using workflow orchestration. By enriching data, you can shorten the remediation life cycle. For more information on editing Vulnerability Response Orchestration workflows or creating custom workflows, see Workflow and Workflow editor. Vulnerability Response Orchestration workflows and activities Several workflows are included with Vulnerability Response Orchestration. Workflows and activities automate and expedite your processes. Use workflows and activities to create scan records, scan vulnerable items, create scan records, and more. Vulnerability Response - Scan Vulnerability workflow Automate vulnerability scans for single or multiple vulnerable items using the Vulnerability Response Scan Vulnerability workflow included in the base system. Role required: admin 191

192 The Vulnerability Response - Scan Vulnerability workflow creates a scan record for the vulnerability or group of vulnerabilities from which it was invoked. Note: It is good practice to rescan vulnerabilities or vulnerable items after remediation when a vulnerability patch is applied to the affected records. You can perform the rescan issuing the method described or you can automate the rescans. Workflow includes: Create Scan Record for Vulnerabilities activity on page

193 Figure 6: Vulnerability Response - Scan Vulnerability workflow 193

194 Vulnerability Response - Scan Vulnerable Items workflow Automate vulnerability scans for single or multiple vulnerable items using the Vulnerability Response Scan Vulnerable Items workflow included in the base system. Role required: sn_vul.admin The Vulnerability Response - Scan Vulnerable Items workflow creates a scan record for the vulnerable item or group of items from which it was invoked. Note: It is good practice to rescan vulnerabilities or vulnerable items after remediation when a vulnerability patch is applied to the affected records. You can perform the rescan is using the method described or you can automate the rescans. Workflow process activities include: Create Scan Record for Vulnerabilities activity on page

195 Figure 7: Vulnerability Response - Scan Vulnerable Items workflow Create Scan Record for Vulnerabilities activity Run vulnerability scans for single or multiple vulnerable items using the Create Scan Record for Vulnerabilities workflow activity included in the base system. When the input is passed to the activity, it creates a scan record. 195

196 Input variables Input variables determine the initial behavior of the activity. Table 61: Input variables Variable taskids [string] A string of comma-separated sysids that define the expected inputs. This field is mandatory. Output variables The output variables contain data that can be used in subsequent activities. Table 62: Output variables Variable scanresult [Boolean] Returns True if the input is not empty. A scan record is created for the taskids. Components installed with Vulnerability Response Several types of components are installed with Vulnerability Response. Demo data is available with Vulnerability Response. Tables installed with Vulnerability Response Vulnerability Response adds the following tables. Table CI Scan Used to store data on when CIs were last scanned, including the last scan date (if available), the scanner used for the last scan, the date of the last vulnerability found for the CI, and the scanner last used for a found vulnerability. [sn_vul_ci_scan] Common Weakness Enumeration [sn_vul_cwe] Discovery Model Vulnerable Software Match [sn_vul_discovery_model_software_match] National Vulnerability Database Entry [sn_vul_nvd_entry] A catalog of common software weakness and vulnerabilities. Used to supplement the matching of vulnerable software to a discovery model. A documented vulnerability from the NIST National Vulnerability Database. 196

197 Table NVD Data Feeds A NIST National Vulnerability Database feed. [sn_vul_nvd_repo] Scheduled Import Pool [sn_vul_sched_import_pool] Third Party Vulnerability Entry [sn_vul_third_party_entry] Vulnerable Item [sn_vul_vulnerable_item] Vulnerable Software [sn_vul_software] Vulnerability Group [sn_vul_vulnerability] Vulnerability Calculator [sn_vul_calculator] Vulnerability Calculator Group [sn_vul_calculator_group] Vulnerability Data Source Import Queue Entry [sn_vul_ds_import_q_entry] Vulnerability Entry A collection of scheduled import set records used to facilitate simultaneous data source imports. A documented vulnerability from a third-party source. A task to address a configuration item with a detected vulnerability. Software that is known to have certain vulnerabilities. A task to address the resolution of an entire vulnerability entry. A calculator to set certain vulnerable item fields when certain conditions are met. A grouping of vulnerability calculators. The order of the calculator group determines which group is evaluated first, and in each group, one calculator at most is used. A queue for attachments before they are processed by a data source. Utilized by vulnerability integrations. A documented vulnerability. [sn_vul_entry] Vulnerability Group Item [sn_vul_m2m_vul_group_item] Vulnerability Integration [sn_vul_integration] Vulnerability Integration Data Source [sn_vul_int_data_src] Vulnerability Integration Process [sn_vul_integration_process] Vulnerability Integration Run [sn_vul_integration_run] Association of vulnerability groups and vulnerable items. A schedulable record to import vulnerability data from an external source. Data source to use with a vulnerability integration. Record to store a single process occurrence for a vulnerability integration. Record to store vulnerability integration invocations. 197

198 Table Vulnerability Item Task Vulnerable items associated with problems, changes, and security incidents. [sn_vul_m2m_item_task] Vulnerability Rate limit Defines a rate limit to be used on a scanner. [sn_vul_rate_limit] Vulnerability Reference External references for known vulnerabilities. [sn_vul_reference] Vulnerability Scan A vulnerability scan. Contains what to scan, with what scanner, and a summary of the scan results. [sn_vul_scan] Vulnerability Scan Configuration Item [sn_vul_m2m_scan_configuration_item] Vulnerability Scan Queue Entry [sn_vul_scan_q_entry] Vulnerability Scanner Associates CMDB CIs that are queued to be scanned. A scan record queued for scanning or processing. Facilitates the requests within stated rate limits. Defines third-party scanners to use in scans. [sn_vul_scanner] Vulnerability Scanner Rate Limit Associates a scanner with a rate limit. [sn_cmn_scanner_rate_limit] Vulnerability Scan Source [sn_vul_m2m_scan_source] Vulnerability Scan Task [sn_vul_m2m_scan_vulnerability] Vulnerability Software [sn_vul_m2m_entry_software] Vulnerability State Change Approval [sn_vul_change_approval] Associates sources to a scan record and signifies all the records that are queued to be scanned. Associates vulnerability tasks for the sources of a scan record. Record to store associations between vulnerabilities and vulnerable software. Record for tracking the approval process for vulnerabilities. The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Vulnerability Response, adds the following tables. Table Rate limit Defines a rate limit to be used on a lookup source or scanner. [sn_cmn_rate_limit] Scan [sn_sec_cmn_scan] A threat lookup or vulnerability scan. Contains what to look up or scan, with what lookup source or scanner, and a summary of the results. 198

199 Table Scanner Defines third-party lookup source or scanners to use in lookups or scans. [sn_sec_cmn_scanner] Scan Queue Entry [sn_cmn_scan_q_entry] Scanner Rate Limit A threat lookup or vulnerability scan record queued for lookup, scan, or processing. Facilitates the requests within stated rate limits. Associates a lookup source or scanner with a rate limit. [sn_cmn_scanner_rate_limit] Properties installed with Vulnerability Response Vulnerability Response adds the following properties. Property sn_vul.autocreate_vul_centric_group When set to true, this property automatically creates a Vulnerability Group when a vulnerable item is created for a vulnerability entry that does not yet have a group (for Vulnerability Centric functionality). sn_vul.popup When a problem, change, or security incident is created, it opens a pop-up window to modify the request. If you set this property to false, the request has the same priority, short description, and description as the vulnerable item without the option to add or edit those fields. sn_vul.vulnerable_item.approval_required Type: true false Default value: true Location: If you change the value of this property, type sys_properties.list in the navigation filter, press Enter, locate the property, and change its value. Determines whether an approval process is required to move a vulnerable item into a terminal state. Type: true false Default value: true Location: If you change the value of this property, type sys_properties.list in the navigation filter, press Enter, locate the property, and change its value. 199

200 Property sn_vul.autocreate_vul_centric_group Determines whether to allow auto creation of vulnerability groups. Type: true false Default value: true Location: If you change the value of this property, type sys_properties.list in the navigation filter, press Enter, locate the property, and change its value. Roles installed with Vulnerability Response Vulnerability Response adds the following roles. Role title [name] Contains roles Vulnerability Admin Updates properties and vulnerability integrations. sn_vul.vulnerability_write Views the vulnerable module section, vulnerable software, and vulnerable items. pa_viewer treemap_user [sn_vul.admin] Vulnerability Read [sn_vul.vulnerability_read] Vulnerability Write [sn_vul.vulnerability_write] Creates and updates vulnerable software and vulnerable items. sn_vul.vulnerability_read Script includes installed with Vulnerability Response Vulnerability Response adds the following script includes. Script include CVSSUtil Common Vulnerability Scoring System utility. CWEKnowledgeHtmlBuilder A class that builds a knowledge article from CWE data CWEReportProcessor An integration processor for Common Weakness Enumeration integration. CWERestIntegration Integration that retrieves Common Weakness Enumeration data via a REST call. DataSourceVulnReportRefreshProcessor Default/Reference implementation of VulnerabilityReportProcessorBase. Takes processor data and passes it to configured data sources associated with the integration. NVDHelper Utility class for parsing out NVD entries. NVDIntegration The NIST National Vulnerability Database logic. 200

201 Script include ScriptedRESTVulnerabilityIntegration Vulnerability Integration that utilizes Scripted REST Services to push vulnerability data into the system. SoftwareVulnerabilityMatcher Contains logic to match vulnerable software to a discovery model. VulnerabilityAJAX Contains various AJAX functions for use in Vulnerability Response. VulnerabilityChangeApproval Encapsulates Vulnerability Change Approval (sn_vul_change_approval) behavior logic. VulnerabilityDSAttachmentManager As vulnerability integrations add attachments to data sources for processing, this script include manages the execution of the data sources and transformations. VulnerabilityGroup Encapsulates Vulnerability Group (sn_vul_vulnerability) behavior logic. VulnerabilityIntegrationBase An integration interface that other integrations extend. Implementing classes retrieve data to pass to a processor. VulnerabilityIntegrationController Controller class to manage vulnerability integration script executions. VulnerabilityIntegrationUtils Utility class to assist with the managing of vulnerability integration runs and processes. VulnerabilityReportProcessorBase A processor interface for new report processors to extend. The implementing class will parse the payload from an interface. VulnerabilityScannerBase A scanner integration interface that other scanner integrations extend. Implementing classes use this script include as a base script to launch scans with third-party vulnerability scanners. VulnerabilityScanProcessorBase Used as the base class for processing scan results. Defines the signature for the process function used by vulnerability scan implementations. VulnerabilityScanUtil Utility class for managing vulnerability scans. VulnerabilityStateChangeManager Manages requests to change the state of a vulnerability. VulnerabilityTransformMapUtil Utility class for transforming a raw vulnerability report. VulnerabilityUtils Contains various APIs to support Vulnerability Response. VulnerableItem Encapsulates Vulnerable Item (sn_vul_vulnerable_item) behavior logic. 201

202 The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Vulnerability Response, adds the following script includes. Script include Scanner The lookup source and scanner implementations for Threat Intelligence and Vulnerability Response. ScannerIntegrationBase Base class for lookup source and scanner integration implementations. ScannerProcessorBase Base class for lookup source and scanner processor implementations. ScannerUtils Common lookup source and scanner helper methods. ScanQueueManager The lookup and scan queues manager implementation for Threat Intelligence and Vulnerability Response. Client scripts installed with Vulnerability Response Vulnerability Response adds the following client scripts. Client script Table Check software import National Vulnerability Database Entry Checks to see if the software vulnerability information has been processed for the entry. [sn_vul_nvd_entry] Get default scanner on load Scan Populates the scanner reference field with the default scanner on scan form load. [sn_vul_scan] On Integration Script Change Vulnerability Integration When the integration script changes, populates the integration factory script field with the default constructor for the selected script include. [sn_vul_integration] On Processor Script Change Vulnerability Integration When the processor script changes, populates the processor factory script with the default constructor for the selected script include. [sn_vul_integration] Show/Hide Vulnerability Det Tab (filter) Vulnerability Group When a vulnerability group is filtered by a vulnerability filter, show the vulnerability details tab on the form. These scripts are triggered by changes to the vulnerability and filter fields. [sn_vul_vulnerability] 202

203 Client script Table Show/Hide Vulnerability Det Tab (vul) Vulnerability Group When a vulnerability group is filtered by a vulnerability filter, show the vulnerability details tab on the form. These scripts are triggered by changes to the vulnerability and filter fields. State choices Vulnerable Item [sn_vul_vulnerability] Manages states that are visible on the Vulnerable Item form. [sn_vul_vulnerable_item] Vulnerability Group [sn_vul_vulnerability] Business rules installed with Vulnerability Response Vulnerability Response adds the following business rules. Business rule Table Add Vulnerable Item CI to Task Vulnerability Item Task Copies the configuration items from the vulnerable item to the task. [sn_vul_m2m_item_task] Apply Updates label [sn_vul_group_async_update] Associate VIs on Condition Change Vulnerability Group Begin state approval workflow Vulnerable Item Creates the association between vulnerable items. [sn_vul_vulnerability] Starts the approval process for a vulnerable item. [sn_vul_vulnerable_item] Calculate Criticality Applies updates to vulnerability items when a change is made to a group. Vulnerable Item Runs the vulnerability calculators when a vulnerable item is inserted or when the configuration item changes. [sn_vul_vulnerable_item] Vulnerability Group [sn_vul_vulnerability] Check for reopen or close Vulnerable Item Determines whether a vulnerable item has been reopened or closed. [sn_vul_vulnerable_item] Check ignore expiration Vulnerable Item Checks if the time limit to ignore a vulnerable item has expired. [sn_vul_vulnerable_item] Clear Filter if using Vul Entry Vulnerability Group If using a vulnerability entry to determine the associated vulnerable items, this rule clears the conditions filter. [sn_vul_vulnerability] 203

204 Business rule Table Clear others when using Filter Group Vulnerability Group Clears out invalid fields on a vulnerability group when a filter group is used. Clear Vulnerability if Custom Filter Vulnerability Group Create CI Scan Hardware [sn_vul_vulnerability] If using a filter to determine the associated vulnerable items, this rule clears the vulnerability field. [sn_vul_vulnerability] Creates a CI scan record when a new CI is created/ inserted in the Hardware [cmdb_ci_hardware] table. [cmdb_ci_hardware] Determine CI from Network Details Vulnerable Item Determine vulnerable items Vulnerable Software Attempts to set the configuration item on the record given network details such as IP address. [sn_vul_vulnerable_item] Examines the software installation table and inserts a vulnerable item for each configuration item found to have an instance of the vulnerable software. [sn_vul_software] Ensure Vuln Centric Group exists Vulnerability Group Checks for the existence of a vulnerability-centric group. If one is not found, it creates one. [sn_vul_vulnerable_item] Only applies if sn_vul.autocreate_vul_centric_group is set to true. Handle complete state Vulnerability Integration Run [sn_vul_integration_run] Handle ready state Vulnerability Integration Run [sn_vul_integration_run] Insert vulnerable item Software Installation If no other runs are processing when a vulnerability integration run is marked as ready, this property starts the integration run for that item. If the software installation has a discovery model that matches a software model with a known vulnerability, a vulnerable item is inserted for the configuration item. [cmdb_sam_sw_install] Link to Vulnerability Groups When a vulnerability integration run completes, this rule starts the next available integration run (if any). Vulnerability Group Associates vulnerable items to vulnerability groups. [sn_vul_vulnerable_item] 204

205 Business rule Table New CVEs downloaded NVD Data Feeds When new CVEs have been downloaded, this property publishes an event to the event queue to indicate CVEs have been added to the system. Used by notifications. [sn_vul_nvd_repo] New items follow parent Vulnerable Item Checks to see if the state of a new vulnerable item matches its vulnerability group. If so, this rule updates the state accordingly. [sn_vul_vulnerable_item] Normalize default Vulnerability Scanner Ensures that only one scanner is marked as default at a given time, and allows only active scanners to be made the default. [sn_vul_scanner] Populate job script from integration Vulnerability Integration Prevent Delete/Deactivate of Default Vulnerability Scanner Process activation Vulnerable Item Updates the script that runs when the chosen processors change. [sn_vul_integration] Prevents the default scanner from being deactivated or deleted. [sn_vul_scanner] Sets the Last opened field to the current date of activation and, if needed, sets the Reopened flag. [sn_vul_vulnerable_item] Process inactivation Vulnerable Item Sets the Age closed and, if set, removes the Reopened flag. [sn_vul_vulnerable_item] Process Vulnerability Attachments Vulnerability Data Source Import Queue Entry Processes the attachment queue. [sn_vul_ds_import_q_entry] Queue the scan Vulnerability Scan Places a vulnerability scan in the queue when all required fields have been provided. [sn_vul_scan] Refresh impacted services on CI change Vulnerable Item Run process on insert Vulnerability Integration Process Refreshes impacted services when a configuration item changes on a vulnerable item. [sn_vul_vulnerable_item] [sn_vul_integration_process] When an integration process is inserted, this property runs the integration script and processor based on any parameters configured on the record. 205

206 Business rule Table Set Risk Accepted Flag Vulnerability Group Item If a new vulnerable item is added to a vulnerability group that is in a Closed or Ignored state, this business rule sets the vulnerability group Risk accepted flag to true. [sn_vul_m2m_vul_group_item] Trigger Workflows Vulnerability Group Triggers Threat Intelligence workflows when conditions are met. [sn_vul_vulnerability] Vulnerability Scan [sn_vul_scan] Vulnerable Item [sn_vul_vulnerable_item] Update associated VI on Note Change Vulnerability Group Update integration process Vulnerability Data Source Import Queue Entry When a worknote is added to a vulnerability group, this rule propagates that note to associated vulnerable items. [sn_vul_vulnerability] [sn_vul_ds_import_q_entry] Vulnerability Integration Run Updates the state of a vulnerability process and run, based on the result of a vulnerability data source import queue entry. [sn_vul_integration_run] Update items on state changes Vulnerability Group Updates associated vulnerable items when the state of a vulnerability group changes. [sn_vul_vulnerability] Update Match information Vulnerable Software Updates the auto-match fields when the discovery model is set manually. [sn_vul_software] Update short description Vulnerable Item Generates a short description from the vulnerability selected. [sn_vul_vulnerable_item] Update source task Scan When a vulnerability scan state changes, updates the task in the Source reference field with work notes to indicate if the scan was successfully launched. [sn_vul_scan] Update the queue Scan Update a scan queue entry for a scan record when the scan state changes. [sn_ti_scan] Update Vulnerabilities Vulnerability State Change Approval Updates the affected vulnerable items with the results of the vulnerability state change approval. [sn_vul_change_approval] 206

207 Business rule Table Update vulnerable item on delete Software Installation Updates a vulnerability item when the associated software installation is deleted. Update vulnerable items Software Installation [cmdb_sam_sw_install] If a vulnerable item exists for an installation, the vulnerable item is updated with newly discovered information. [cmdb_sam_sw_install] Vulnerability scan Security Scan Request Starts a vulnerability scan from a security scan request. [sn_si_scan_request] Scheduled jobs installed with Vulnerability Response Vulnerability Response adds the following scheduled jobs. Scheduled job Check Vulnerable Item Ignore Expiration Runs nightly to determine which vulnerable items are past their ignore date and sets those items back to active. Scheduled Vulnerability Data Source Processor Runs nightly to process any items in the vulnerability import queue that are still pending. Scheduled Vulnerability Integration timeout checker Runs periodically to check vulnerability runs for those items that have exceeded maximum execution time and cancels them. Update Vulnerable Item Age Runs nightly to update the age of all active vulnerable items. The last_vul_found value is updated for each CI scan and displayed in the CI scan record and in reports. Threat Intelligence The Threat Intelligence application is used to access and provide a point of reference for your company's Structured Threat Information Expression (STIX ) data. STIX is a language for describing cyber threat information in a standardized and structured manner. Using STIX data and Trusted Automated Exchange of Indicator Information (TAXII ) profiles, threat professionals can use shared cyber threat information to isolate threats that have been previously identified by your company and from other sources. TAXII makes widespread automated exchange of cyber threat information possible. STIX and TAXII are trademarks of The MITRE Corporation. Explore Set up Threat Intelligence release notes Upgrade to Administer Activate Threat Intelligence on page 208 Set Threat Intelligence properties on page

208 Threat Intelligence Orchestration on page 241 videos Use Define a threat source on page 212 Develop Attack modes and methods on page 219 Indicators of compromise on page 221 Observables on page 223 Threat Intelligence monitoring on page 214 Integrate Developer training Developer documentation Components installed with Threat Intelligence on page 246 integrations on page 256 Security Operations integration development guidelines on page 256 Tips for writing integrations on page 263 Troubleshoot and get help Ask or answer questions in the community Search the HI knowledge base for known error articles Contact Support Set up Threat Intelligence Before Threat Intelligence can be used, activate the plugin and then configure how you want the application to function. Activate Threat Intelligence The Threat Intelligence plugin is available as a separate subscription. Unless the Security Incident Response plugin is activated, some workflow and threat functionality is not available. You can activate Security Incident Response before or after Threat Intelligence activation. Role required: admin Threat Intelligence activates these related plugins if they are not already active. Table 63: Plugins for Threat Intelligence Plugin Security Support Orchestration Provides an integration of with Orchestration to allow the facilitation of workflow activities within Security Incident Response, Threat Intelligence or Vulnerability Response. [com.snc.secops.orchestration] To purchase a subscription, contact your account manager. After purchasing the subscription, activate the plugin within the production instance. 1. Navigate to System Definition > Plugins. 208

209 2. 3. Find and click the plugin name. On the System Plugin form, review the plugin details and then click the Activate/Upgrade related link. If the plugin depends on other plugins, these plugins are listed along with their activation status. 4. If the plugin has optional features that are not functional because other plugins are inactive, those plugins are listed. A warning states that some files are not installed. If you want the optional features to be installed, cancel this activation, activate the necessary plugins, and then return to activating the plugin. Optional: If available, select the Load demo data check box. Some plugins include demo data sample records that are designed to illustrate plugin features for common use cases. Loading demo data is a good policy when you first activate the plugin on a development or test instance. 5. You can also load demo data after the plugin is activated by clicking the Load Demo Data Only related link on the System Plugin form. Click Activate. Set Threat Intelligence properties Threat Intelligence properties allow you to control how different aspects of the system function, including the setting of API keys. Role required: sn_ti.admin Navigate to Threat Intelligence > Administration > Properties. Set the following properties, as needed. Table 64: Properties for Threat Intelligence Property The domain name to retrieve additional information for IP addresses/urls The domain name to use for retrieving additional information into your IoC database. This property is used by the ThreatAdditionalInfo script include to populate additional information on the Observables form. sn_ti.ip_lookup.web_site Type: String Default value: ip-country/ Location: Threat Intelligence > Administration > Properties Note: The pinfodb.com third-party API is available at no extra charge and used in many commercial software programs. If you replace it with a different domain name, you must also provide the API key in the next field. 209

210 Property The API key to be used for the domain, if any The API key to use for retrieving additional information into your IoC database. This property is used (along with the sn_ti.ip_lookup.web_site property) by the ThreatAdditionalInfo script include to populate additional information on the Observables form. sn_ti.ip_lookup.api_key Lookup local IoC tables before sending to remote scanner sn_ti.scan_ioc_before_sending Type: String Default value: none Location: Threat Intelligence > Administration > Properties If set to True, the Observable [sn_ti_observable] table is checked against the lookup request for a matching value. If a match is found (that is, the same IP address, URL, or hash file value exists), the lookup result is populated from information in the Observable [sn_ti_observable] table. This setting prevents unneeded lookups. In the lookup request, the State field is set to Complete, the Result field is set to Failed, and the Internally populated field is set to True. If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally. Type: Yes No Default value: Yes Location: Threat Intelligence > Administration > Properties 210

211 Property Number of days local Observables are considered If the Lookup local IoC tables before sending to lookup source property is set to True, observables that were updated in the past number of days specified in this property is compared with the value in the lookup. sn_ti.scan_ioc_num_days If a match is found within the specified number of days, or if an attachment in the lookup exists in an IoC observable, the lookup is not performed. The State field is set to Complete, and the Result field is set to Failed. If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally. Type: integer Default value: 30 Location: Threat Intelligence > Administration > Properties When an attack mode/method has not been received from any source for the specified number of days, mark it as inactive Number of days from when an attack mode/ method was last received for the record to be marked inactive. sn_ti.attack_mode_inactivate_days Type: integer Default value: 360 Location: Threat Intelligence > Administration > Properties Note: The Active check box is not visible on the Attack mode/ method form by default. However, you can add it. When attack modes/ methods are inactive, they cannot be selected on other forms. 211

212 Property When an indicator has not been received from any source for the specified number of days, mark it as inactive Number of days from when an indicator was last received for the record to be marked inactive. sn_ti.indicator_inactivate_days Type: integer Default value: 180 Location: Threat Intelligence > Administration > Properties Note: The Active check box is not visible on the Indicator form by default. However, you can add it. When indicators are inactive, they cannot be selected on other forms. 3. Click Save. Define a threat source You can maintain a list of Threat Intelligence threat sources. Each source includes the ability to define how often a source is queried. You can also execute a threat source on demand to import the needed Structured Threat Information expression (STIX) data. Threat Intelligence employs two technologies for importing threat-related information: STIX and Trusted Automated Exchange of Indicator Information (TAXII). STIX provides a standardized, structured language for representing an extensive set of cyber threat information that includes indicators of compromise (IoC) activity (for example, IP addresses and file hashes), as well as contextual information regarding threats, such as attack modes/methods, that together more completely characterize the motivations, capabilities, and activities of a cyber adversary. As such, STIX data provides valuable information on how your organization can best to defend against cyber threats. Trusted Automated Exchange of Indicator Information (TAXII) is used to facilitate automated exchange of cyber threat information. TAXII defines a set of services and message exchanges that enable sharing of actionable cyber threat information across organization and product/service boundaries for the detection, prevention, and mitigation of cyber threats. TAXII profiles can be set up as repositories for sharing STIXformatted information. Each profile contains one or more TAXII collections or feeds. Role required: sn_ti.admin Navigate to Threat Intelligence > Sources > Threat Sources. Click New. Fill in the fields on the form, as appropriate. Field Name The name of the threat source. Application The application that contains this record. Active Select this check box to activate the threat source. Advanced Select this check box to display the scripts in the Integration factory script and Report processor fields. 212

213 4. Field A description of this threat source. Fill in the fields in the Schedule section, as appropriate. Field Run The frequency you want the integration to run, Daily, Weekly, Periodically, and so on. As noted, subsequent fields are displayed based on the setting of this field. Day The day you want the integration to run. 5. If you selected Weekly in the Run field, this field displays the days of the week. If you selected Monthly in the Run field, this field displays the days of the month. Time The time you want the integration to start. Repeat Interval If you selected Periodically in the Run field, this field displays the number of days and hours before the integration runs again. Starting If you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates. Conditional Select this field if you want to add conditional parameters. Condition If you selected the Conditional check box, enter the conditions here. Fill in the fields in the Threat Details section, as appropriate. Field Indicator The indicator to use when the data does not explicitly provide one. For blocklists, if empty, a new indicator is created for each observable. Indicator type The indicator type to use for indicators that are created and the data does not explicitly provide an indicator type. Attack Mode/ Method The attack mode/method to use when the data does not explicitly provide one. Observable Type The observable type to use for observables that are created and the data does not explicitly provide an observable type.[si1] Weight Enter a weight value for this source to be used in the confidence calculation. Note: The usage of the Indicator, Indicator Type, Attack Mode/Method, and Observable Type fields is implementation-specific. The default processor, SimpleBlocklistProcessor, behaves as the hints describe. However, a TAXII threat source is fully data driven. Any custom threat source processor would be able to use its own strategy. These fields are basically items to expose to the integration/processor and the implementation decides how to use them. 6. Fill in the fields in the Source Details section, as appropriate. 213

214 Field Endpoint Enter the web service endpoint URL where the threat source is accessed by Threat Intelligence. Click the lock icon to lock the URL. Use REST Message If you require a REST message to access the threat source, select this check box. The REST message and REST method fields become mandatory. REST message Click the lookup icon, and select the REST message from the list or click New to define a new REST message. REST method Click the lookup icon, and select the REST method from the list or click New to define a new REST method. Integration script The default integration script is SimpleRESTSecurityDataIntegration. It runs a simple REST call, saves the response as an attachment, and then returns the attachment to the processor. This script meets the needs of most organizations. But if you want, you can click the lookup icon, and select a different integration script or define a new one. Integration factory If the Advanced check box is selected, this field displays the actual script script for constructing the integration script. You can edit the script as needed. This ability is useful for custom implementations. Integrations in the base system usually do not need any custom constructor logic. 7. Report processor The default integration script is SimpleBlocklistProcessor. This script is a simple processor that accepts a simple blocklist (simple, meaning a single column document with observables such as URLs or IP addresses) and creates observables. It uses the various Threat Details fields to determine which fields to set when observables are created. Processor factory script If the Advanced check box is selected, this field displays the actual script for constructing the processor. You can edit the script as needed. This script is generally useful for custom implementations. The integrations in the base system usually do not need custom constructor logic. Click Submit. Threat Intelligence monitoring The Threat Intelligence overview provides several useful reports, as well as Really Simple Syndication (RSS) and Atom format feeds of security-related news. You can also configure a threat feed of securityrelated news. Users with the sn_ti.read role or higher can use the Overview module to display threat information in the following reports. In each chart, you can point to any part of a chart (bar, pie, data point, and so on) to view general data specific to that part, as shown. If you click any part of a report, a list opens to provide detailed information. 214

215 215

216 Threat Intelligence Overview reports Name Visual Observables by Type (Last 30 Days) Bar chart Count of recently seen observables grouped by observable types. Completed Lookups by Type (Last 30 Days) Bar chart Count of completed lookups grouped by lookup types. Indicator Attack Modes/ Methods (Last Bar chart Count of attack modes/methods for each indicator. The attack mode/method counts are separated by type (for example, by Feodo and Zeus). Threat Feed You can define any RSS news feed or bulletins to be displayed in a scrolling feed. 216

217 You can load new articles on demand by clicking the Refresh icon ( icon to set the amount of time between refreshes from the list field. ). You can also select the gear 217

218 Figure 8: Refresh interval Set up threat feeds The threat feeds feature allows you to define any RSS news feed or bulletins to be displayed in a scrolling feed. The format is configurable and you can specify the number of days before articles are removed. Role required: sn_ti.admin Navigate to Threat Intelligence > Administration > Feeds. Click New. Fill in the fields on the form, as appropriate. Field Name Enter the name of the news feed. Max entries Enter the maximum number of entries to be displayed by this news service. Active Select this field to make the news feed active. Multiple news feeds can be active. Max age (days) Enter the maximum number of days you want each feed article to remain in the feed before being removed. URL Enter the new feed URL 218

219 4. Click Submit. Attack modes and methods Attack modes and methods, sometimes referred to as Tactics, Techniques, and Procedures (TTPs), are representations of how cyber adversaries behave. They characterize what these adversaries do and how they do it, in increasing levels of detail. For example, an attack mode/method might be to use malware to steal credit card credentials. Or another, related tactic (at a lower level of detail) might be to send targeted s with attachments that contain malicious code, which executes upon opening, captures credit card information from keystrokes, and uses http to communicate with a command and control server to transfer information. Define an attack mode/method Attack modes and methods are imported with STIX data, but you can add new modes/methods, as needed. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Attack Mode/Method. Click New. Fill in the fields on the form, as appropriate. Field Title Enter a descriptive name for this attack mode/method. Malware Type Select the malware type for this attack mode/method. The available malware types are retrieved from the vendor server as STIX data. Source Select the threat data source for this attack mode/method. Some data sources are included with the base system. You can create new data sources as needed. Attack mechanism Select the attack mechanism for this attack mode/method. Attack mechanisms represent the different techniques used to attack a system. The available attack mechanisms are retrieved from the vendor server as STIX data. First Seen This date is retrieved from the vendor server as STIX data. Last Seen This date is retrieved from the vendor server as STIX data. Threat Actor Type Select the threat actor type for this attack mode/method. Threat actor types characterize malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior. The available threat actor types are retrieved from the vendor server as STIX data. Enter a description of the attack mode/method. Handling Enter instruction for how to handle this attack mode/method. Intended effect Enter the intended effect of this type of attack. Right-click in the form header and click Save. You can view any of the following related lists to view additional information. 219

220 Related List Related Indicators Lists related Indicators of Compromise (IoC) that have been identified by the threat source. Child Attack mode/ method Lists attack modes/methods that are children of the parent attack mode/method. Associated Tasks Lists changes associated with the parent attack mode/method. Add an IoC to an attack mode/method In addition to importing indicators as STIX data, you can add IoCs to an attack mode/method manually. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Attack Mode/Method. Click the attack mode to which you want to add an IoC. Click the Related Indicators related list. Click Edit As needed, use the filters to locate the IoC you want to add. Using the slushbucket, add the IoC to the Related Indicators list. Click Save. Add a related attack mode method In addition to importing attack modes/methods as STIX data, you can add related attack modes/methods manually. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Attack Mode/Method. Click the attack mode to which you want to add a related attack mode/method. Click the Child Attack mode/method related list. Click Edit. As needed, use the filters to locate the attack mode/method you want to relate to the current one. Using the slushbucket, add the attack mode/method to the Child Attack mode/method list. Click Save. Add associated task to an attack mode/method In addition to importing associated tasks (such as changes and incidents) as STIX data, you can add them to an attack mode/method manually. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Attack Mode/Method. Click the attack mode to which you want to add an associated task. Click the Associated Tasks related list. Click Edit. As needed, use the filters to locate the tasks you want to associate with the attack mode/method. 220

221 6. 7. Using the slushbucket, add the task to the Associated Tasks list. Click Save. Indicators of compromise Indicators of Compromise (IoC) are artifacts observed on a network or operating system that are likely to indicate an intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or domain names. An IoC can be a single observable or a collection of observables (for example, a single known bad URL or the presence of a specific file and a couple of specific registry key values). After IoCs have been identified in a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software. View an IoC IoCs, sometimes referred to as indicators, are most typically retrieved from a threat data source as STIX data. If needed, you can also create IoCs. Role required: sn_ti.write After the scheduled job has retrieved IoC data from the defined data source, navigate to Threat Intelligence > IoC Repository > Indicators. The retrieved IoCs are listed. Click the IoC you want to view. The following information displays. Field Title A descriptive name for this indicator. First Seen The first date this indicator was observed in the system. Last Seen The most recent date this indicator was observed in the system. Encountered count The number to times the indicator has been encountered. Sourced count The number to times the indicator was imported from defined threat sources. Notes Any additional notes about the indicator. This field can also contain JSON key/value pairs. You can click any of the following related lists to view additional information. Related List Related Observables Lists observables that are linked to the current indicator. Related Attack mode/method Lists related attack modes/methods that have been identified as related to this indicator. Associated Type Lists other indicator types that are associated with this IoC. Indicator Sources Lists the sources of this indicator, along with the confidence level of the source. Associated Tasks Lists all tasks, changes, and incidents associated with the IoC. 221

222 Related List Indicator Metadata If the Notes field contains valid JSON key/value pairs, they are parsed and displayed. If no JSON key/value pairs are present, or if the JSON is invalid, this related list is not displayed. Add a related observable to an IoC In addition to importing observables as STIX data, you can add related observables to an IoC manually. Role required: sn_ti.write Navigate to Threat Intelligence > IoC Repository > Indicators. Click the indicator to which you want to add a related observable. Click the Related Observables related list. Click Edit. As needed, use the filters to locate the observable you want to relate with the IoC. Using the slushbucket, add the observable to the Related Observables list. Click Save. Add a related attack mode/method to an IoC In addition to importing related attack modes/methods as STIX data, you can add related attack modes/ methods to an IoC manually. Role required: sn_ti.write Navigate to Threat Intelligence > IoC Repository > Indicators. Click the indicator to which you want to add a related attack mode/method. Click the Related Attack mode/method related list. Click Edit. As needed, use the filters to locate the attack mode/method you want to relate with the IoC. Using the slushbucket, add the attack mode/method to the Related Attack mode/method list. Click Save. Identify associated indicator types If an IoC has no associated indicator types defined, it tracks all types of observables. However, if you associate one or more types of indicators to an IoC, it limits the types of observables that can be associated with the IoC. Role required: sn_ti.write Navigate to Threat Intelligence > IoC Repository > Indicators. Click the indicator to which you want to associate an indicator type. Click the Associated Type related list. Click Edit. As needed, use the filters to locate the indicator type you want to associate with the IoC. Using the slushbucket, add the indicator type to the Associated Type list. 222

223 7. Click Save. Identify indicator sources Indicator sources are normally tracked automatically as part of the threat import process, but more sources can be manually added. Role required: sn_ti.write 1. Navigate to Threat Intelligence > IoC Repository > Indicators Click the indicator to which you want to add indicator sources. Click the Indicator Sources related list. Click Edit. As needed, use the filters to locate the indicator source you want to associate with the IoC. Using the slushbucket, add the indicator source to the Indicator Sources list. Click Save. Add associated tasks to an IoC In addition to importing associated tasks (such as changes and incidents) as STIX data, you can add them to an IoC manually. Role required: sn_ti.write Navigate to Threat Intelligence > IoC Repository > Indicators. Click the IoC to which you want to add an associated task. Click the Associated Tasks related list. Click Edit. As needed, use the filters to locate the tasks you want to associate with the IoC. Using the slushbucket, add the task to the Associated Tasks list. Click Save. Observables Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks. Sets of cyber observables are useful for identifying indicators of compromise when they are combined with contextual information that represents the behaviors of cyber threats. Define an observable Observables are retrieved from the vendor server as STIX data. However, you can create observables, as needed. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Observables. Click New. Fill in the fields on the form, as appropriate. 223

224 Field Observable Type Select the observable classification, such as an IP address or file hash. These observable types are defined in the Observable Types module. Sighting count The number of times the observable value has been encountered. Is composition If the Observable Type is set to anything other that Observable Composition, and this new observable is a composition, select this check box. If the Observable Type is already set to Observable Composition, the check box is selected and read-only. An observable composition is an observable that contains child observables. Operator This field appears only when the Is composition check box is selected. Depending on your setting in this field, the observables and their children are considered when deciding whether an associated indicator is present. Set this field to AND if all the child observables must be present for an associated indicator to be considered present. Set it to OR if any of the child observables are present for an associated indicator to be considered present. Must not be present If selected, this field signifies that the absence of the observable is the potential issue (for example, a missing registry key). Location Using the settings in two properties and a script include definition, you can load geolocation information for IP addresses and websites in this field. Value The value (for example, IP address or hash) associated with the observable. Note: If a lookup on an IP address or hash, returned malware or some other failure, the IP address or hash value is automatically added to the Observable [sn_ti_observable] table. As such, it can be searched for from the Observables form. Notes 4. Enter any additional notes about the observable. Right-click in the form header and click Save. You can now click any of the following related lists to view additional information. Related List Related Indicators Lists indicators that have been identified by the threat source. Associated Tasks Lists changes associated with the observable. Child Observables Lists related observables that have been identified by the threat source. Matching Resources for IP If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address. 224

225 Related List Observable Sources Lists the sources of this observable, along with the confidence level of the source. Add a related IoC to an observable In addition to importing observables as STIX data, you can add related observables to an IoC manually. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Observables. Click the observable to which you want to add a related IoC. Click the Related Indicators related list. Click Edit. As needed, use the filters to locate the indicator you want to relate with the observable. Using the slushbucket, add the indicator to the Related Indicators list. Click Save. Add associated tasks to an observable In addition to importing associated tasks (such as changes and incidents) as STIX data, you can add them to an observable manually. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Observables. Click the observable to which you want to add an associated task. Click the Associated Tasks related list. Click Edit. As needed, use the filters to locate the tasks you want to associate with the observable. Using the slushbucket, add the task to the Associated Tasks list. Click Save. Add a related observable In addition to importing observables as STIX data, you can add related observables manually. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Observables. Click the observable to which you want to add a related observable. Click the Child Observables related list. Click Edit. As needed, use the filters to locate the observable you want to relate to the current one. Using the slushbucket, add the observable to the Child Observables list. Click Save. 225

226 Load more IoC data Depending on settings in two properties and a script include definition, you can load geolocation information for IP addresses and websites in the Observables form. With further customization, you can also add other information, such as country codes, city names. The following two properties must be set: The domain name to retrieve additional information for IP addresses/urls [sn_ti.ip_lookup.web_site] The API key to be used for the above domain, if any [sn_ti.ip_lookup.api_key] Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Observables. Click the IP address or URL of the observable to which you want to view more IoC data. The Location field shows the geolocation of the IoC. Click the Enrich data button to load the additional IoC data. You can also configure the Observable form to add other location-related fields, such as the country code and city code. Note: To load more location-related information, edit the ThreatAdditionalInfo script include and provide the appropriate API key from the website that provides the additional information. Identify observable sources If an observable has no sources defined, it uses all types of sources. However, if you add one or more threat sources to an observable, it limits the sources used. Role required: sn_ti.admin Navigate to Threat Intelligence > IoC Repository > Observables. Click the observable to which you want to add observable sources. Click the Observable Sources related list. Click Edit. As needed, use the filters to locate the source you want to associate with the observable. Using the slushbucket, add the observable source to the Observable Sources list. Click Save. Threat lookups Lookups allow you to scan and identify potential threats. Third-party lookup sources Threat Intelligence integrates with third-party threat lookup sources to identify potential threats. While a lookup is processing or when it is complete, you can click the reference link to open the third-party website and view the results of the lookups performed. You can add new threat lookup sources, as needed. 226

227 Define supported lookup types When a lookup source supports a certain type of lookup (such as URL, IP, file, or file hash value), you must add them to the lookup record. Role required: sn_ti.admin Aside from pairing a lookup source to a supported lookup type, the lookup type is responsible for providing the instantiation scripts that perform the lookup for the given type. This action is represented by two script fields, Integration factory script and Processor factory script, on the Supported lookup type screen. Lookup types for File, Hash, IP, and URL are provided Navigate to Threat Intelligence > IoC Lookup > Lookup Types. Click New. Fill in the fields on the form, as appropriate. Table 65: Lookup types 4. Field Lookup type name Provide a name for the lookup type. Default lookup source Select a default lookup source from the list of supported lookup sources. When a user submits a lookup request from the security incident catalog, and specifies this lookup type, the default lookup source for that type is used. Lookup type description Enter a description of the lookup type. Click Submit. Add a lookup source You can set up a new lookup source, associate it with supported lookup types, and set a lookup rate limit, as needed. Role required: sn_ti.admin Before you can add a third-party lookup source service, you must obtain a license to use that service and, often, an API Key to facilitate the integration Navigate to Threat Intelligence > IoC Lookup > Lookup Sources. Click New. Fill in the fields, as needed. Table 66: Malware Scanners Field Name Enter a name for the threat lookup source. Application The type of scoped application. Active Select this check box to activate this threat lookup source. Right-click in the form header, and click Save. In the Supported lookup types related list, click New. 227

228 6. Fill in the fields, as needed. Table 67: Supported lookup type Field Lookup Source Auto-fills with the name of the lookup source you are defining. Include in bulk lookup Select this check box to include this lookup type in lookups by this lookup source. Lookup type Select an existing supported lookup type, or click the magnifying glass and click New to define a new supported lookup type. Integration factory script Enter a script to construct the lookup source integration implementation that is defined by a script include. The script include extends sn_sec_cmn.scannerintegrationbase, and provides the mechanism that makes lookup requests and report requests with a threat lookup engine. The last line of the script is the constructed integration implementation. Processor factory script The script to construct the lookup report processing implementation that is defined by a script include. The script include extends sn_sec_cmn.scannerprocessorbase, and provides the mechanism that processes a lookup report from a threat lookup engine. The last line of the script is the constructed processor implementation. If you want to make this lookup type the default for this lookup source, right-click in the form header, click Save, then click Make default. Otherwise, click Submit. Repeat steps 5 through 7 for each supported lookup type you want to associate with this lookup source. If you want to define a lookup source rate limit, click the Source rate limit related list. Scripts for threat lookup source supported lookup types Two types of script includes--an integration script and a processor script--are used to define a threat lookup source supported lookup types. These script includes are built using scripts entered on the Supported lookup type screen. When you are defining a new supported lookup type, two scripts are used to build the integration and processor implementations: Integration factory script Processor factory script Integration factory script The integration factory script is used to construct a script include that extends the sn_sec_cmn.scannerintegrationbase script include. The script include is responsible for defining the logic that sends a request to the threat lookup source and retrieves the results of previously submitted lookups. The script include, at a minimum, defines the following methods: senddata: function(scangr) { // Logic to make request to send data to a lookup source goes here. // Additionally, this should update the lookup request with state information // depending on whether send was successful. 228

229 } retrievedata: function(scangr) { // Logic to get report data from a lookup source goes here. // This should return the report information that will be passed to the processor script } After the script include that extends sn_sec_cmn.scannerintegrationbase is written and implements the senddata and retrievedata methods, add the instantiation logic to the Integration factory script field of the supported lookup type record. Although you can have any logic you want in the field, the last line must be the instantiated integration object. For example, if you create an integration script include in the global scope with a name of "MyIPScannerIntegration" that does not expect any constructor arguments, the last line of the Integration factory script field would be: new global.myipscannerintegration(); Processor factory script The Processor factory script is used to construct a script include that extends the sn_sec_cmn.scannerprocessorbase script include. The script include is responsible for defining the logic to handle the value returned by the integration retrievedata call. The script include, at a minimum, defines the following method: process: function(data, scangr) { // Logic to process report data provided by "data". // This should create lookup result records if problems were found by the vendor. // Additionally, the state of the Lookup record should be updated if the lookup is complete, // or encounters an error that is not cleared by subsequent calls to the server. } After the script include that extends sn_sec_cmn.scannerprocessorbase is written and implements the process method, you would then add the instantiation logic to the Processor factory script field of the supported lookup type record. As with the Integration factory script, you can have any logic you want in the field, but the last line must be the instantiated processor object. For example, if you created a processor script include in the global scope with the name of "MyIPReportProcessor" that does not expect any constructor arguments, the last line of the Processor factory script field would be: new global.myipreportprocessor(); Lookup source rate limits You can define the rate that different types of lookups are performed to limit the number of requests that are sent to an external lookup source. After you have defined rate limits, you can apply them to different lookup sources. Define rate limits You can define the rate that different types of lookups are performed to balance the load in your lookup queue. Conditions defined in the rate limit determine whether the rate limits are applied to queued entries. 229

230 Role required: sn_vul.admin Navigate to Threat Intelligence > IoC Lookup > Rate Limit Definitions. Click New. Fill in the fields on the form, as appropriate. Table 68: Rate limit definition 4. Field Name Provide a descriptive name that identifies the conditions the queue entry must meet. For example, Requests per minute or IP/URL/File requests per hour. Queue conditions Enter conditions used to determine whether a queued lookup entry is subject to this rate limit. The conditions should not be specific to a particular lookup source. Evaluation script Write a script with the logic to evaluate the queued entry. It is important that the script return true/false to define whether the entry is processed. Also, the evaluation script is based on the queued entry being evaluated. Click Submit. An example of a rate limit definition: 230

231 231

232 Apply lookup rate limits to lookup sources After you have defined lookup rate limits using Lookup source rate limits on page 229, you can apply rate limits to specific lookup sources. Role required: sn.ti_admin Navigate to Threat Intelligence > IoC Lookup > Source Rate Limits. Click New. Fill in the fields on the form, as appropriate. Table 69: Lookup Source rate limit 4. Field Lookup source Select the lookup source to which you want to apply a rate limit. Rate limit Select the rate limit you want to apply to this lookup source. Threshold Enter the threshold that you want to subject the selected lookup source to for the selected rate limit. For example, if the lookup source allows 4 lookups per minute, and the rate limit is defined as requests per minute, the threshold would be 4. Click Submit. IoC lookups IoC lookups can be performed to find known malware and suspicious URLs and IP addresses. These lookups can be initiated from the catalog, via , or by creating a lookup request for the files, file hashes, URLs, or IP addresses you want to check. The lookups are performed by the appropriate thirdparty lookup source. After threat lookups have completed, an notification is sent to the requestor. Submit an IoC Lookup request with Threat Intelligence If you suspect that websites, files, or links to IP addresses you have received contain malware or other threats, you can create a lookup request. Lookups can also be initiated from security incidents, from the Security Incident Catalog, or in the form of forwarded s. Role required: sn_ti.write If the Security Incident Response plugin is activated, you can submit threat lookup requests using the following procedure, or you can perform the lookup from within the Security Incident Response module Navigate to Threat Intelligence > IoC Lookup > Lookups. The Lookups list shows all lookups, including those lookups that have not yet executed and those lookups that are complete. Each lookup includes an automatically generated lookup name that identifies the file, hash value, URL, or IP address selected. Click New. Fill in the fields on the form, as appropriate. Note: Not all fields are supported by all integrated lookup sources. 232

233 Table 70: IoC Lookup Field Number The auto-generated record number for this request. Lookup Source Select the third-party lookup source used for this lookup. Type Select the type of lookup to perform. Only lookup types defined for the selected lookup source are available. Note: If you do not want to upload potentially sensitive files to look for malware, you can select the Hash type, if it is supported by the selected lookup source. Also, if you submit the File lookup type from the Security Incident Catalog and the For File lookup requests from lookup requests, lookup only their hash values property is set to True, the hash of the file is submitted for lookup instead of the file. Attachment queued for lookup Select the attachment for lookup. This field appears only if File or Hash is selected in the Type field. Value The hash, IP address, or URL to lookup. This field appears if you selected Hash, IP, or URL in the Type field. Note: If you selected Hash or File in the Type field and selected an attachment for lookup, the Value field is readonly. When the record is saved, the Value field is updated with the SHA-256 hash of the selected file. 4. State The current state of the request. Time requested The date and time the request was created. Requested by The name of the requester. Status message A status message generated by the third-party lookup source. Reference The URL of the third-party lookup source. Raw response The raw results of the lookup form the selected lookup source. To view this field, you must personalize the form and add the Raw response field. If you want to look up files, click the paperclip icon in the form header, then locate and attach the files you want to look up. Note: Files have a 5MB size limit. If you attach a larger file larger, the lookup does not run and the State field in the lookup record shows as Error. 5. Click Submit. After you have submitted the request, you can View the lookup queue on page 237 to determine the status of the lookup request. The completed lookup can appear similar to the following screen. 233

234 Note: If a lookup on an IP address or a hash returns malware or some other failure, the IP address or hash value is automatically added to the Observable [sn_ti_observable] table. As such, it can be searched for from the Observables form. 234

235 Submit an IoC Lookup request from the Security Incident Catalog If the Security Incident Response plugin is activated, you can submit threat lookups for files, hash values, URLs, and IP addresses from the Security Incident Catalog. The requests are submitted and you can view the results in the My Requests module. Role required: none Lookups are automatically performed for the default lookup type for each lookup source listed in the lookup record. The results of the lookup request are available in the My Requests module Navigate to Self-Service > Security Incident Catalog. Click IoC Lookup. Click Lookup files, hash values, URLs or IP addresses. Enter one or more of the following: Table 71: IoC Lookup request Item to lookup Files Click the paperclip icon, then locate and attach the files you want to lookup. Note: By default, the Lookup Type for File is inactive. Files are converted and submitted as a hash value. URLs In the URLs field, enter the URLs you want to lookup, separated by commas. For example: IP addresses In the IP addresses field, enter the IP addresses you want to lookup, separated by commas. Hash values In the Hash values field, enter the hash values you want to lookup, separated by commas. Note: When the Lookup Type for File is inactive, this value is the default action for both File and Hash values When you have made your selections, click Submit. To view the status and/or results of the lookups, navigate to Self-Service > My Requests. Click the SR number for the request. The work notes under Activity list the tasks performed during the lookup, including the creation of individual lookups for each file, hash value, URL, or IP address, and the lookup results. Submit an IoC Lookup request from a security incident If your security incident has attachments, they can be easily found with the press of a button. For automatic IoC lookups, the Threat Intelligence plugin must be activated. Role required: sn_si.basic Note: By default, the Lookup Type for File is inactive Create a new security incident or open an existing one if you intend to attach new files to it. Click the paperclip icon in the form header and attach one or more files. 235

236 3. 4. When you have completed your entries on the form, right-click the form header and click Save. After the record has been saved, a Lookup attachments button appears. Click Lookup attachments. Note: The work notes under Incident Details report the progress of the lookup process. 5. You can click the lookup number at the end of the message to view the lookup record. You can click the Lookup reference link to view detailed results. Automatic lookup of suspicious s for threats Threat Intelligence allows you to automatically handle the checking of suspicious s for malware. Role required: admin The first step is to provide the address that users are instructed to forward their suspicious s to. By setting up an address for your users to forward suspicious s to, the s are automatically sent to the lookup source, and IP addresses and URLs are parsed and validated. Security incidents can be created to follow up on any s with attached malware or links to known bad websites. Regardless of the results, a reply is sent to the requester with the results of the lookup Navigate to System Policy > > Inbound Actions. Locate and open Scan for threats. Scroll down to the Conditions section. 4. In the To condition, enter an alias or portion of the address to which users can forward s with suspicious attachments, URLs, or IP addresses for lookup purposes. Click Update. A lookup request is created to lookup the files attached to the . If the lookup results in the discovery of malware, a security incident can be created. Either way, a reply is sent to the requester with the results of the lookup

237 View the lookup queue When lookup requests have been submitted to a third-party integration, the requests are queued so as not to overload system resources. You can view the status of queued requests, as needed. Role required: sn_ti.admin In the list of queued lookups, each lookup includes an automatically generated lookup name that identifies the file, hash value, URL, or IP address in the lookup. 1. Navigate to Threat Intelligence > IoC Lookup > Lookup Queue. All lookup requests that have been submitted are shown in a list. The State column shows the current state of each queued entry. A state of Complete indicates that the lookup has left the queue. It does not necessarily indicate that the lookup has completed processing. When the lookups have been completed or if they have failed, the Processing column shows the appropriate work notes text. Note: If a hash value was submitted for lookup and the lookup source fails to find a result, the State shows Complete and the work note in the Processing column indicates Unknown. 2. After a lookup has finished processing, click a queued record to view details for the lookup request. View lookup results Regardless of the method used to submit a lookup request (via a security incident or the catalog, or from a forwarded ), you can view results in a couple of ways. Role required: sn_ti.admin The easiest way to view the results of your lookup request is to look at the lookup request itself. Navigate to Threat Intelligence > IoC Lookup > Lookups. The Lookups screen lists the individual lookups performed. If you requested more than one item of a particular type to lookup, each item produces its own lookup (SCN) record. For example, if you entered two URLs to look up, the Lookups screen lists one record for each URL. The State column shows the current state of each record. That is, whether it is still performing a lookup. The Result column shows whether each lookup passed, failed, or is pending. Click the lookup number of the lookup for which you want to view details. The Reason field provides a plain text reason for the result of the lookup. IoC Lookup notifications After lookups have completed, an notification is sent to the requestor if that person has notifications enabled. The content of the depends on the type of lookup being performed. notifications for IP address lookups If threats are found after one or more IP address lookups, an notification is sent to the requestor if that person has notifications enabled. Here is a sample notification for an IP address lookup. 237

238 238

239 The notification includes the following elements: The header of the includes the lookup record number, the IP address, and the name of the lookup source used. If more than one lookup source was used, the includes a section for each one. Each line in the identifies: The URL used by the IP address lookup. The number of threats found in the URL out of the total number of lookup sources used. For example, 8/67 used by means that 67 lookup sources were used to look up the IP address in the indicated URL, and 8 threats were encountered. notifications for URL lookups If threats are found after one or more URL lookups, an notification is sent to the requestor, if that person has notifications enabled. Here is a sample notification for a URL lookup. Figure 10: Sample notification for a URL lookup The notification includes the following elements: The header of the includes the lookup record number, the URL, and the name of the lookup source used. If more than one lookup source was used, the includes a section for each one. Each line in the identifies the engine that found a threat. notifications for hash lookups If threats are found after one or more hash lookups, an notification is sent to the requestor if that person has notifications enabled. Here is a sample notification for a hash lookup. 239

240 240

241 The notification includes the following elements: The header of the includes the lookup record number, the hash being looked up, and the name of the lookup source used. If more than one lookup source was used, the includes a section for each lookup source. Each line in the identifies: The engine that found a threat. The identifier for the known threat. Threat Intelligence administration The Threat Intelligence base system is ready to use upon activation. You can add records to certain modules in the Administration application menu, but most are already populated with industry-standard information. The following applications are available under the Administration module of the Threat Intelligence navigation bar: Table 72: Threat Intelligence administration applications Application Properties Threat Intelligence properties allow you to control how different aspects of the system function, including the setting of API keys. Attack Mechanism This module organizes attack patterns hierarchically, based on mechanisms that are frequently employed when exploiting a vulnerability. Discovery Method This module describes how security incidents are discovered. Feeds The Threat feeds feature allows you to define any RSS news feed or bulletins to be displayed in a scrolling feed in the Threat Intelligence Overview module. Indicator Types This module is used to characterize cyber threat indicators made up of patterns that identify certain observable conditions, as well as contextual information about the meaning of the patterns, and how and when they are acted upon. Intended Effect This application is used for expressing the intended effect of a threat actor. Notifications This module is used for creating notifications. This involves specifying when they are sent, who receives them, and what they contain. Observable Types This module lists the possible classifications of an observable, such as an IP address or file hash. Threat Actor Type This module characterizes malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior. Threat Intelligence Orchestration With Threat Intelligence Orchestration activities, you can determine whether a threat occurred before in other security incidents or on other systems using workflow orchestration. 241

242 For more information on editing Threat Intelligence Orchestration workflows or creating custom workflows, see Getting started with workflows and Workflow editor. Set up Threat Intelligence Orchestration In order to use activities within workflows, you must first set up Threat Intelligence Orchestration. You need a fully populated CMDB with domain names to use Threat Intelligence Orchestration. For more information, see Discovery. Role required: admin Prior to using Threat Intelligence Orchestration, perform steps to set up various parts of the system, including populating the CMDB, configuring the MID Server, and configuring credentials Activate the Threat Intelligence plugin. Configure the MID Server. Configure MID Server service credentials. You are now ready to use Threat Intelligence Orchestration activities within a workflow. Threat Intelligence Orchestration workflows and activites Several workflows are included with Threat Intelligence Orchestration. Workflows and activities automate and expedite your processes. Use workflows and activities to run IoC lookups, populate lookups, perform IoC lookup activities, and more. Threat Intelligence - Run IoC Lookup workflow The Threat Intelligence - Run IoC Lookup workflow can populate a lookup with an observable, perform an IoC lookup, update an observable with results, and more. This workflow helps you log information and accelerates the investigation and remediation process. Note: This workflow replaces Threat Intelligence Orchestration business rules Populate with existing IoC tables, Queue the lookup, and Update observable with activities. If a lookup is inserted or updated and meets the conditions, the Lookup business rule triggers this workflow. Role required: sn_si.basic The Threat Intelligence - Run IoC Lookup workflow checks for an unexpired observable and, if found, sets the lookup to Complete and updates it with the data from the observable. Any indicators associated with the observable are reactivated. If the observable is expired, the workflow runs the lookups and increments the Sighting count in the existing, expired observable. If no correlating observable exists, a new observable with indicator is created. Workflow process activities include: Populate lookup with observable activity on page 244 Perform IoC Lookup activity on page 244 Wait for lookup (core activity) Update observable with lookup result activity on page

243 243

244 Populate lookup with observable activity The Threat Intelligence Orchestration - Populate lookup with observable workflow activity accelerates the investigation and remediation process by supplying data from an existing observable to a lookup when an unexpired observable is found. process. When triggered by the Threat Intelligence Orchestration - Run IoC Lookup workflow, this activity attempts to find an existing observable for a lookup that matches the value and type of the lookup provided to the activity as input. If the observable exists and is not expired, this activity: Updates the lookup with the information found in the observable. Reactivates an indicator if it is inactive, increments the Encountered count, and updates the Last seen date. Sets State to Complete. Input variables Input variables determine the initial behavior of the activity. Table 73: Input variables Variable scanid [string] Lookup identifier Output variables The output variables contain data that can be used in subsequent activities. Table 74: Output variables Variable True Found valid observable and updated lookup. False Did not find valid observable. Observable is either missing or expired. Perform IoC Lookup activity The Threat Intelligence Orchestration - Perform IoC Lookup workflow activity accelerates the investigation and remediation process by performing a specific IoC lookup.. When triggered by the Threat Intelligence Orchestration - Run IoC Lookup workflow, this activity takes a scanid, finds the lookup record, and adds the lookup to the Lookup Queueby creating a lookup queue entry. Input variables Input variables determine the initial behavior of the activity. 244

245 Table 75: Input variables Variable scanid [string] Lookup identifier Output variables The output variables contain data that can be used in subsequent activities. Table 76: Output variables Variable True Triggered the lookup. False Did not trigger the lookup. Update observable with lookup result activity The Threat Intelligence Orchestration - Update observable with lookup result workflow activity updates the observable record and logs useful information about the lookup result. If an observable record does not exist, it creates a new observable. When triggered by the Threat Intelligence Orchestration - Run IoC Lookup workflow this activity updates an existing observable to include the new Sighting count, adds a note, and, if inactive, reactivates any indicators. The Encountered count and Last seen date in the indicator are also updated. If no correlating observable exists, the workflow creates a new observable with an indicator and: Runs the IoC lookups. Creates a new observable. Creates an indicator for the observable. Adds a Sighting count to the observable. Adds an Encountered count and Last seen date to the indicator. Adds a message indicating from which lookup it was created. Input variables Input variables determine the initial behavior of the activity. Table 77: Input variables Variable scanid [string] Lookup identifier Output variables The output variables contain data that can be used in subsequent activities. 245

246 Table 78: Output variables Variable True Update or creation of observable is successful. False Update or creation of observable failed. Run Default IoC Lookup Sources activity The Threat Intelligence Orchestration - Run Default IoC Lookup Sources activity takes in a lookup request ID and creates multiple lookups depending on the entered data values. When triggered by the Threat Intelligence Orchestration - Run IoC Lookup workflow, this activity evaluates the include in bulk scan column of the supported lookup type table of each lookup source for each data type. If True, a lookup is added to the lookup request. Input variables Input variables determine the initial behavior of the activity. Table 79: Input variables Variable scan_request_id Lookup request system identifier Output variables The output variables contain data that can be used in subsequent activities. Table 80: Output variables Variable Number of scans created Integer Components installed with Threat Intelligence Several types of components are installed with Threat Intelligence. Tables installed with Threat Intelligence Threat Intelligence adds the following tables. Table Attack mechanism Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system. [sn_ti_attack_mechanism] 246

247 Table Attack mode/method [sn_ti_attack_mode] Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail. Discovery method An expression of how an incident was discovered. [sn_ti_discovery_method] Feed [sn_ti_feed] Indicator Attack mode/method Used for configuring the Threat Feed (RSS) in the Threat Overview. Used to map attack modes/methods to indicators. [sn_ti_m2m_indicator_attack_mode] Indicator of Compromise [sn_ti_indicator] Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. Indicator of Compromise Metadata [sn_ti_indicator_metadata] Indicator Source [sn_ti_m2m_indicator_source] Indicator Type Used to collect all the sources reporting the specific indicator. [sn_ti_indicator_type] Used to characterize a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it is acted on, and so on. Associated Indicator Type Links indicators with their applicable types. [sn_ti_m2m_indicator_indicator_type] Intended effect Used for expressing the intended effect of a threat actor. [sn_ti_intended_effect] IP Scan Result Used to show the results of an IP lookup. [sn_ti_ip_result] Malware Rate limit Defines a rate limit to be used on a lookup source. [sn_ti_rate_limit] Malware Scan [sn_ti_scan] Malware Scanner [sn_ti_scanner] Malware Scanner Rate Limit A lookup. Contains what to look up, with what lookup source, and a summary of the lookup results. Defines third-party lookup sources to use in performing lookups. Associates a lookup source with a rate limit. [sn_ti_scanner_rate_limit] 247

248 Table Malware Scan Queue Entry A lookup record queued for lookup or processing. Facilitates the requests within stated rate limits. [sn_ti_scan_q_entry] Malware Scan Result Displays the result of a lookup. [sn_ti_scan_result] Malware Type Used for expressing the types of malware instances. [sn_ti_malware_type] Observable [sn_ti_observable] Observable Indicator Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks. Used to relate observables to indicators. [sn_ti_m2m_observable_indicator] Observable Source Used to relate observables to threat sources. [sn_ti_observable_source] Observable Type [sn_ti_observable_type] Related attack mode/method Lists the various types of observables, such as IP addresses. Used to relate attack modes to each other. [sn_ti_m2m_attack_mode_attack_mode] Related Observables Used to relate observables to each other. [sn_ti_m2m_observables] Scan type [sn_ti_scan_type] Supported Observable Types The definition of a lookup type, with initial records for File, URL, and IP. Relates indicator types to valid observable types. [sn_ti_m2m_ind_type_obs_type] Supported Scan Type [sn_ti_supported_scan_type] Task Attack mode/method Maps the lookup type to a lookup source/vendor-specific implementation. Indicates that a specific lookup source supports the type. Relates attack modes to tasks. [sn_ti_m2m_task_attack_mode] Task Indicator Relates indicators to tasks. [sn_ti_m2m_task_indicator] Task Observable Relates observables to tasks. [sn_ti_m2m_task_observable] TAXII Collection [sn_ti_taxii_collection] Defines a cyber-risk intelligence feed that can be imported by a TAXII server. 248

249 Table TAXII Profile Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections. [sn_ti_taxii_profile] Threat Actor type [sn_ti_threat_actor_type] Threat Intelligence Source Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior. Defines a source for importing threat data. [sn_ti_source] The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Threat Intelligence, adds the following tables. Table Rate limit Defines a rate limit to be used on a lookup source or scanner. [sn_cmn_rate_limit] Scan [sn_sec_cmn_scan] Scanner [sn_sec_cmn_scanner] Scan Queue Entry [sn_cmn_scan_q_entry] Scanner Rate Limit A threat lookup or vulnerability scan. Contains what to look up or scan, with what lookup source or scanner, and a summary of the results. Defines third-party lookup source or scanners to use in lookups or scans. A threat lookup or vulnerability scan record queued for lookup, scan, or processing. Facilitates the requests within stated rate limits. Associates a lookup source or scanner with a rate limit. [sn_cmn_scanner_rate_limit] Properties installed with Threat Intelligence Properties Threat Intelligence adds the following properties. 249

250 Table 81: Properties for Threat Intelligence Property The domain name to retrieve additional information for IP addresses/urls The domain name to use for retrieving additional information into your IoC database. This property is used by the ThreatAdditionalInfo script include to populate additional information on the Observables form. sn_ti.ip_lookup.web_site Type: String Default value: Location: Threat Intelligence > Administration > Properties Note: The pinfodb.com third-party API is available at no extra charge and used in many commercial software programs. If you replace it with a different domain name, you must also provide the API key in the next field. The API key to be used for the domain, if any sn_ti.ip_lookup.api_key The API key to use for retrieving additional information into your IoC database. This property is used (along with the sn_ti.ip_lookup.web_site property) by the ThreatAdditionalInfo script include to populate additional information on the Observables form. Lookup local IoC tables before sending to remote scanner sn_ti.scan_ioc_before_sending Type: String Default value: none Location: Threat Intelligence > Administration > Properties If set to True, the Observable [sn_ti_observable] table is checked against the lookup request for a matching value. If a match is found (that is, the same IP address, URL, or hash file value exists), the lookup result is populated from information in the Observable [sn_ti_observable] table. This setting prevents unneeded lookups. In the lookup request, the State field is set to Complete, the Result field is set to Failed, and the Internally populated field is set to True. If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally. Type: Yes No Default value: Yes Location: Threat Intelligence > Administration > Properties 250

251 Property Number of days local Observables are considered If the Lookup local IoC tables before sending to lookup source property is set to True, observables that were updated in the past number of days specified in this property is compared with the value in the lookup. sn_ti.scan_ioc_num_days If a match is found within the specified number of days, or if an attachment in the lookup exists in an IoC observable, the lookup is not performed. The State field is set to Complete, and the Result field is set to Failed. If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally. Type: integer Default value: 30 Location: Threat Intelligence > Administration > Properties When an attack mode/method has not been received from any source for the specified number of days, mark it as inactive Number of days from when an attack mode/ method was last received for the record to be marked inactive. sn_ti.attack_mode_inactivate_days Type: integer Default value: 360 Location: Threat Intelligence > Administration > Properties Note: The Active check box is not visible on the Attack mode/method form by default. However, you can add it. When attack modes/methods are inactive, they cannot be selected on other forms. When an indicator has not been received from any source for the specified number of days, mark it as inactive sn_ti.indicator_inactivate_days Number of days from when an indicator was last received for the record to be marked inactive. Type: integer Default value: 180 Location: Threat Intelligence > Administration > Properties Note: The Active check box is not visible on the Indicator form by default. However, you can add it. When indicators are inactive, they cannot be selected on other forms. 251

252 Roles installed with Threat Intelligence Threat Intelligence adds the following roles. Role title [name] Contains roles Threat Administrator Has full control over all threat properties, SLAs, and notifications. sn_ti.write Has read access to threat information. sn.sec_cmn.int_read Has write access to threat information. sn_sec_cmn.int_write sn_ti.read [sn_ti.admin] Threat Reader [sn_ti.read] Threat Writer [sn_ti.write] Cannot delete attack modes, indicators nor observables. Only a Threat Administrator can delete them. Script includes installed with Threat Intelligence Threat Intelligence adds the following script includes. Script include InactivateExpiredThreatInformation Inactivates expired threat information. Uses Threat Intelligence properties for age calculation. ScanHttpMultipartBuilder Takes a file and updates a RESTMessageV2 request body with the file contents. Also adds a request header to change the content type to multipart/form-data. SimpleBlocklistProcessor Plain text processor, chiefly used to parse and insert processor records. Because this script include does not use streaming APIs, the payload must be less than 5 MB for attachments. STIXParser A class for processing STIX XML data. TAXIIClient Facilitates communication with a TAXII server to retrieve collection information. TAXIICollectionDataProcessor Processor for data returned by TAXII Collection data retrieval. TAXIISourceIntegration Integration for running a REST call to retrieve data from a TAXII collection. The data returned by this integration is then passed to a data processor (typically TAXIICollectionDataProcessor). TAXIIV1_1RequestBuilder Builds TAXII requests in TAXII 1.1 format. TAXIIV1_1ResponseParser Parses the REST response body that conforms to the TAXII 1.1 specification. 252

253 Script include ThreatAdditionalInfo The API for acquiring additional information for a specific IP address or URL. This script include updates detailed information on the Observables screen using information retrieved using the following two Threat Intelligence properties: The domain name to retrieve additional information for IP addresses/urls [sn_ti.ip_lookup.web_site] The API key to be used for the above domain, if any [sn_ti.ip_lookup.api_key] ThreatAJAX Contains AJAX functions to be used throughout the application. ThreatScannerIntegrationBase A base class for Threat integrations to extend. ThreatUtils Various functions for use throughout the Threat Intelligence plugin. The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Threat Intelligence, adds the following script includes. Script include Scanner The lookup source and scanner implementations for Threat Intelligence and Vulnerability Response. ScannerIntegrationBase Base class for lookup source and scanner integration implementations. ScannerProcessorBase Base class for lookup source and scanner processor implementations. ScannerUtils Common lookup source and scanner helper methods. ScanQueueManager The lookup and scan queues manager implementation for Threat Intelligence and Vulnerability Response. Client scripts installed with Threat Intelligence Threat Intelligence adds the following client scripts. Client script Table Handle type change Lookup Hides irrelevant fields when the type changes. [sn_ti_scan] Hide empty results Lookup If no data is contained within them, this script hides the related list for lookup results and IP results. [sn_ti_scan] 253

254 Client script Table Toggle Is Composition Flag Observable Updates the form when an observable should be treated as a composition. [sn_ti_observable] Toggle supported scanner types Lookup Type Toggle supported types and rate limits Lookup Source Shows or hides the supported lookup type related list of a lookup type depending on the user role. [sn_ti_scan_type] Shows or hides the supported lookup type and scanner rate limit related lists of a lookup source depending on the user role. [sn_ti_scanner] Business rules installed with Threat Intelligence Threat Intelligence adds the following business rules. Business rule Table Check for duplicates Observable Prevents duplicate entries in the observable table. [sn_ti_observable] Handle file malware detection Lookup Deletes a lookup attachment after a lookup reports "failed." [sn_ti_scan] Hash selected file Lookup Retrieves the hash value of a file to look up. [sn_ti_scan] Indicator Detection Task Observable [sn_ti_m2m_task_observable] IoC Lookup Attachment Determines if the observables on a task indicates an indicator. Creates lookups from security lookup requests. [sys_attachment] Security Scan Request [sn_si_scan_request] Lookup Triggers the Threat Intelligence - Run Lookup workflow when a lookup object is inserted or updated and meets the condition specified in the IoC Lookup business rule. [sn_ti_scan] Link observables label Adds observables to the security incident based on the data in the fields of the IoC section. [sn_si_incident] 254

255 Business rule Table Notify Lookup Finished Lookup Sends an notification to a lookup requester when the lookup has completed. The notification includes the names of the lookup sources, lookup numbers, number of threats found, and lookup engines that detected threats. If multiple lookups are performed as a group, the notification is not sent until all lookups are completed. [sn_ti_scan] Parse JSON from notes Indicator Detects and parses valid JSON key/value pairs in the Indicator of Compromise Notes field and displays them in the Indicators of Compromise Metadata related list. [sn_ti_indicator] Prevent delete if lookup type default Supported Lookup Type Prevents deletion of a lookup type when it is selected as the default. [sn_ti_supported_scan_type] Lookup Source [sn_ti_scanner] Prevent Removing Indicator Types Associated Indicator Types Prevents the deletion of indicator types that would [sn_ti_m2m_indicator_indicator_type] result in data integrity issues, if deleted. Reactive IoC when observable found Observable Restrict observable to supported type Observable Indicator Roll up threat to SI Lookup Reactivates an observable when it is inactive and recently found. [sn_ti_observable] Limits the observables available to an indicator based on their [sn_ti_m2m_observable_indicator] types. When a threat is found during a lookup, a workflow launches that rolls up the lookup summary report to the originating security incident as a work note. [sn_ti_scan] Set confidence Indicator Source [sn_ti_m2m_indicator_source] Set lookup field to attachment Lookup Sets the lookup attachment reference field to the attachment on the lookup form. [sn_ti_scan] Set order to next available Sets the confidence of an indicator determined by the source. Supported lookup type [sn_ti_supported_scan_type] Sets the order of a supported lookup type to the largest available. 255

256 Business rule Table Trigger Workflows Lookup Triggers Threat Intelligence workflows when conditions are met. [sn_ti_scan] Trim observable value Lookup Trims white space from the value of an observable. [sn_ti_scan] Update first seen Indicator Source Updates the first seen field. [sn_si_m2m_indicator_source] Attack mode/method [sn_ti_attack_mode] Update indicator first seen Indicator Source [sn_vul_m2m_indicator_source] Update last seen Indicator Source [sn_vul_m2m_indicator_source] Update lookup name Lookup Lookup Updates a lookup parent with the results of a lookup. [sn_ti_scan] Update the queue Sets the last seen field on an indicator. Sets the lookup name of a lookup to a combination of the value of the object being scanned. [sn_ti_scan] Update parent Sets the first seen field on an indicator. Lookup Update a lookup queue entry for a lookup record when the lookup state changes. [sn_ti_scan] integrations Several integrations are included with the applications (Security Incident Response, Threat Intelligence, and Vulnerability Response). This section provides instructions for activating the plugins and configuring the integrations. Also included are some basic guidelines for developing your own integrations, as well as details on specific integrations included in the base system. integration development guidelines The platform provides several mechanisms for developing integrations with external systems. The product suite adds integration capabilities intended to streamline the process of integrating with security-focused external systems. Most of the concepts in this guide assume some familiarity with standard functionality. To integrate with the suite, at a minimum, knowledge of the following concepts is required: Script includes 256

257 Inbound/outbound web services Data sources Import sets Transform maps Technology Partner Program Any requirements for application certification or guidelines given in the Technology Partner Program literature supersede any information in this guide. This guide is not a replacement for the Technology Partner Program literature and serves only as a supplement to existing documentation. For more information, see Technology Partner Program training course blog post. Types of integrations provided The applications (Security Incident Response, Threat Intelligence, and Vulnerability Response) can be seamlessly integrated with other applications to enhance their functionality. The following integrations are provided in the base system. Security Incident Response Event Management integration The capabilities of the Event Management application have been expanded to support Security Incident Response. The Security Incident Response Event Management support plugin automatically parses the contents of events in Event Management to populate fields in security incidents. Use case covered: Creation of security events in the Event Management system from Security Information and Event Management (SIEM) tools Useful capabilities provided: Event management functionality event correlation, event rules, and alert rules Automatic mapping of additional_information values to resulting security incident Resources: Security Incident event management support documentation Event Management documentation Security Incident Response - Import Set API integration In addition to using Event Management to push security-related events, the Security Incident Response application provides an Import Set API that allows direct creation of security incidents. The REST endpoint for the Security Incident Import Set is This integration technique is useful when a) Event Management is not installed, or b) it is desired to simply create Security Incidents without going through the event > alert > Security Incident flow that is required when using Event Management. Use case covered: Creation of security incidents directly from SIEM tools 257

258 Useful capabilities provided: Automatic CI matching on Security Incident creation based on IP, NetBIOS, or fully qualified domain name Resources: Platform Import Set API documentation Security Incident Web Service Import Set documentation Threat Intelligence - lookup source integration Lookup sources provide the ability to send data to external lookup sources to determine if that data is malicious. Generally, that data is an IP address, URL, file, or file hash. Use case covered: Lookup an IP address, URL, file, or hash with an external lookup service Useful capabilities provided: Consistent way to request lookups from catalog items and security incidents Rate limiting and throttling capabilities provided with little/no coding Automatic creation of Indicators of Compromise (IoC) observable entries for any issues found by lookup sources Resources: Lookup Source documentation Threat Intelligence - threat source integration Threat Sources provide the ability to pull in data from external threat intelligence repositories. This data is then imported into the various Indicators of Compromise tables that exist within the system. TAXII collections and simple blocklists are supported natively. To add new TAXII collections (or profiles based on a discovery or collection management service), it is as simple as adding an entry. Similarly, adding a new simple, single column blocklist is a matter of entering a new record and providing the URL of the blocklist. For more complicated sets of data, a custom integration can be provided to make a call to a URL and parse the response. Use case covered: Retrieve data from a threat intelligence source to load into IoC tables Useful capabilities provided: Support for simple blocklists and TAXII collections with no coding Simple mechanism for executing REST messages for retrieving data Decoupled data retrieval/processing for integration component reusability Native support for processing passing data returned to data sources (and import sets/transform maps) Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls Resources: Define a threat source on page

259 Vulnerability Response - scanner invocation integration Vulnerability Scanner Invocation is a lightweight integration entry point that supports invoking vulnerability scans from the instance. A third-party vulnerability scanner is called asynchronously to schedule a scan for configuration items or IP addresses. Use case covered: Make request to third-party scanner to scan a CI (using host information derived from CI) or IP address/ IP addresses Useful capabilities provided: Simple framework for defining scanner implementations Consistent way to request scans from catalog items, security incidents, and vulnerable items Automatic updating of tasks with result of scan invocation Resources: Third-party vulnerability scanner documentation Vulnerability Response - data integration Vulnerability data integrations are intended to retrieve vulnerability data from third-party vulnerability systems. The expected outputs from these integrations are vulnerability entries and vulnerable items. This integration allows third-party vulnerability scanners to function independently, with the expectation that vulnerabilities can be worked and tracked within the instance. Use cases covered: Retrieve vulnerability libraries Retrieve vulnerability/ci pairings Synchronize CIs with vulnerability management system Useful capabilities provided: Decoupled data retrieval/processing for integration component reusability Native support for processing passing data returned to data sources (and import sets/transform maps) Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls Resources: Vulnerability data integration documentation Third-party integrations Many of the integrations included in the base system require little or no setup, and operate in the same way. Certain integrations, such as the Qualys Cloud Platform, however, require separate steps for setting up the integration, entering an API key, and setting API credentials. Others support different sets of scan and lookup types and different rate limits. This section describes the differences between the supported integrations and points you to more documentation, as needed. IBM QRadar Integration overview on page 265: IBM QRadar SIEM is used to enrich security incidents with QRadar offense information. 259

260 Palo Alto Networks - AutoFocus integration overview on page 283: Palo Alto Networks AutoFocus is a threat intelligence cloud service that provides prioritized, actionable cyberthreat intelligence. Palo Alto Networks - Firewall integration overview on page 291: Palo Alto Networks Firewall allows you to set up and maintain firewalls for preventing known and unknown threats across the network, cloud, and endpoints. Palo Alto Networks - WildFire integration overview on page 309: Wildfire allows you to programmatically send file analysis jobs to Wildfire and query report data through a simple XML API interface. Qualys Cloud Platform integration on page 320: Qualys Cloud Platform is used in Vulnerability Response. Splunk: Splunk is used in Security Incident Response to create security incidents and security events. Tanium Integration integration overview on page 381: Tanium integration uses a workflow and workflow activities to return running processes for affected CIs. VirusTotal: VirusTotal is used in Threat Intelligence. To use this lookup source, you must activate the VirusTotal Integration plugin. Activate and configure third-party integrations You can activate the plugins for third-party integrations and configure them for use from the same screen. Role required: sn_sec_cmn.admin 1. Navigate to > Integration Configuration. The available security integrations appear as a series of cards, similar to the following group of cards. You can point to any card to get a description of the integration. 260

261 2. To install the plugin for a given integration, click Install Plugin. a) On the System Plugin form, review the plugin details and click the Activate/Upgrade related link. b) 3. Click Activate. When the activation is complete, the Security Integration screen reopens and the button for the integration you activated is labeled Configure. Click Configure. Note: If you are configuring Qualys Cloud Platform, see Activate and configure Qualys Vulnerability Integration plugin on page Enter the API Key. Click Submit. 261

262 Create an integration You can create an integration and add the associated integration card to the Security Integrations screen. This procedure is intended for partners who create third-party integrations. Role required: sn_sec_cmn.admin Audience: Partners who create third-party integrations In the navigation filter, type sn_sec_cmn_integration_item.list and press the Enter key. Click New. Fill in the fields on the form, as appropriate. Field Name The name of the integration. Plugin ID The plugin that must be activated to use the integration. Order Indicates the order that this integration card appears. Banner Text Click the link, select an image or logo to appear in the integration card, and click OK. Installed Read-only field that indicates whether the plugin has already been installed. Configurable Indicates whether you can configure the integration. Categories Used for filtering the integration cards. Short description A description of the integration that appears in the tooltip hint for the card. A longer description of the integration. Right-click the form header and select Save. The Integration and Configurations related list appears. You can use this related list to define configuration options for the integration. These options appear when you click the Configuration button on the associated integration card. Click New. Fill in the fields on the form, as appropriate. Field Label The name of the integration item. Name The plugin that must be activated to use the integration. Integration Displays the integration for which you are defining integration items Order Indicates the order in which this integration item appears. 262

263 Field Type From the list, select the type of field: Value 7. String Integer Decimal Date Boolean Password IPv4 IPv6 URL Enter the value associated with the Type selected. If a value that is invalid for the selected Type is entered, no records are retrieved when the integration is run. For example, if you select the URL type and enter a value of , no records are retrieved. Click Submit. Tips for writing integrations Avoid some of the pitfalls you can encounter when writing your own integrations by following these guidelines. Use platform functionality whenever possible Mostly, the integration capabilities built into applications (Security Incident Response, Threat Intelligence, and Vulnerability Response) are intended to enhance or streamline existing platform integration functionality. When writing integrations, always make sure to use platform functionality when it exists. Here are some common functionalities that can be used rather than rolling-your-own. Outbound web services for most interactions with third-party systems, communication are through web services. In those cases, utilize platform outbound web services (REST and SOAP are supported). A data sources/import sets/transform map for processing data and inserting into tables, the preferred mechanism is to use data sources and associated components. Use integration frameworks whenever possible Because integration mechanisms have solved many common problems, it is not necessary to reimplement basic functionalities for every integration. For example, the vulnerability data and threat source frameworks support handling multiple pages and passing that data to data sources/ transforms/import sets. Similarly, the scan or lookup source framework provides configurable rate limiting functionality. As a rule, when implementing a feature or set of features, check to see if the existing Security Operations integration framework covers your use case. If so, use that framework. 263

264 Extend the existing integration frameworks as needed Most of the tables and scripts used by integration frameworks were intended to be extended to suite future needs. If a use case is encountered while you are writing an integration, extend an integration table or script to better suit that use case. Provide feedback to for issues encountered during integration As an integration is being developed or tested, be sure to provide feedback when issues are encountered. Even if a workaround is required, support personnel can provide an improvement in future releases that could alleviate the issue for future integrations. Test under reasonable load A common issue with integrations is that they are not equipped to handle realistic loads. Because each integration is a scoped application, there are more limitations imposed by the platform to ensure system stability. These limitations may result in long running jobs or API calls being terminated. You can ensure that long running processes or processes that process lots of data are handled gracefully by reducing the time each call or process takes (usually by providing a means of paginating API requests or chunking large sets of data). Integration troubleshooting These troubleshooting suggestions can help you resolve common issues you can encounter when setting up or running integrations. Replace an untrusted or expired third-party SSL certificate When an SSL connection is required in an integration, there are circumstances when the certificate provided by the third-party vendor is either not yet trusted in or has expired. You can replace it or add a new certificate. Role required: sn_ti.write Acquire the SSL certificate from the third-party vendor. For example, you can import an X.509 Certificate (PEM) from an SSL endpoint in the Firefox browser, as follows. a) Enter the endpoint URL into the browser address bar. For example: b) Click the lock icon in the address line. c) Click More Information and click the Security tab. d) Click View Certificate and click the Detail tab. e) Click Export to save the PEM into your local file system. f) Open the saved file in any text editor tool and copy the content into the clipboard. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE Navigate to System Definition > Certificates. Click New and create a new record for the integration. In PEM Certificate, paste in the certificate you downloaded and copied into the clipboard earlier. Click Save. The other fields in the record are generated automatically. 264

265 IBM QRadar integration QRadar Integration uses default workflows to enrich data in security incidents when certain fields are updated. You can also manually execute the workflows to enrich the data. Explore Set up IBM QRadar Integration overview on page 265 integrations on page 256 Download and install the Security Operations add-on for IBM QRadar on page 268 Activate and configure the IBM QRadar SIEM integration on page 266 QRadar integration setup on page 266 Use Develop Enrich QRadar data in Security Incident Response on page 268 Enrich QRadar data in Security Incident Response on page 268 QRadar integration orchestration workflows and activities on page 274 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation Components installed with the IBM QRadar SIEM integration on page 281 Troubleshoot and get help Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support IBM QRadar Integration overview QRadar Integration is an enterprise security information and event management (SIEM) product that integrates easily with. Two workflows are included in the base system: QRadar Integration - Run Enrichment for IP QRadar Integration - Security Incident Enrichment When the Configuration Item, Source IP, and/or Destination IP fields in a security incident are modified, a business rule causes the first workflow to orchestrate REST calls to the second workflow. One call is made for each of the fields modified. The Security Incident Enrichment workflow then makes the calls to QRadar depending on the field(s) that were modified. QRadar sends the enriched data to the security incident and populates the work notes with a summary of any offenses and event flows related to the IP addresses. The summary includes links that allow you to view the data on the QRadar console. 265

266 Figure 12: Sample work notes with QRadar summary You can also click the Get QRadar IP Summaries related link to manually kick off the workflows and pull enriched data from QRadar. Note: If the Use default workflows check box in the QRadar Configuration screen is not selected, the workflows does not run and the related link is not displayed. QRadar integration setup Before you can use the QRadar integration, you must activate the plugin and configure the integration. If necessary, you can also update your X509 SSL certification. Activate and configure the IBM QRadar SIEM integration The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including QRadar Integration. Role required: admin Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method. 1. Navigate to > Integration Configuration. The available security integrations appear as a series of cards. 266

267 In the QRadar card, click Install Plugin. In the Install IBM QRadar - Enrichment integration dialog box, review the plugin details and click Activate. When the activation is complete, click Close & Reload Form. The Security Integration screen reloads and the Configure button for the integration is available. Click Configure. Fill in the fields on the form, as appropriate. Field Endpoint base Enter the base URL for QRadar. For example, if the REST endpoint is siem/source_addresses, the endpoint base is qradar.secops-snc.com QRadar Username The user name of the QRadar administrator who has access to Offenses tab in QRadar. QRadar Password The password of the QRadar administrator who has access to Offenses tab in QRadar. Use MID server If QRadar is not directly reachable from the Internet, select this check box to proxy requests through the MID Server. Use default workflows Select this check box to use the QRadar - Security Incident Enrichment workflow to automate the pulling of QRadar data. Click Submit. Update your X.509 certificate If you require an SSL connection for the integration, there are circumstances when the certificate provided by the third-party vendor is either not yet trusted in or has expired. This task is optional. Role required: admin 1. Acquire the SSL certificate from the third-party vendor. For example, you can import an X.509 Certificate (PEM) from an SSL endpoint in the Firefox browser, as follows. a) Enter the endpoint URL into the browser address bar. For example: 267

268 b) Click the lock icon in the address line. c) Click More Information and click the Security tab. d) Click View Certificate and click the Detail tab. e) Click Export to save the PEM into your local file system. f) Open the saved file in any text editor tool and copy the content to the clipboard. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE Navigate to System Definition > Certificates. Click New and create a new record for the integration. In PEM Certificate, paste in the certificate you downloaded and copied into the clipboard earlier. Click Save. The other fields in the record are generated automatically. Enrich QRadar data in Security Incident Response When certain fields in a security incident are modified, one or more workflows are executed to enrich data from QRadar. Role required: sn_si.admin 1. Navigate to Security Incident > Incident and open a security incident using: 2. Assigned to Me Assigned to Team Show Open Incidents Show All Incidents Unassigned Incidents Fill out or edit the fields in the security incident. If you selected the Use default workflows check box in the QRadar Configuration screen, and you added or changed values in any of the following fields, the default workflows are executed and QRadar enriches the data: Configuration items Source IP (on the Security Incident Observables tab) Destination IP (on the Security Incident Observables tab) add-on for IBM QRadar When QRadar is integrated with Security Incident Response, you can create security incidents and events from QRadar offenses. The application is configured and operated from within QRadar. Before you can use the add-on for IBM QRadar, it must be downloaded from the IBM Security App Exchange, and configured. Download and install the add-on for IBM QRadar Download the IBM QRadar application from the IBM Security App Exchange and install the necessary extensions. The installation requires the Helsinki release or higher. You must also activate the following plugins prior to installation: 1. Security Incident Response Event Management Log in to the IBM Security App Exchange ( 268

269 Download the add-on for IBM QRadar application. Log in to QRadar console as an administrator. Navigate to the Admin tab. Click the Extensions Management icon. Click Add in the Extensions Management window. Select the file you downloaded in step 2 and select the Install immediately check box. Click Submit. The Extensions Management screen now shows a new record. Configure the add-on for IBM QRadar Configure the add-on for IBM QRadar to set basic operations and for mapping incident and event fields to QRadar values. You can also configure proxy server support if needed. Role required: sn_si.admin Log in to your QRadar instance. Click the Admin tab. Navigate to Plug-ins > Integration > Configure Integration. 4. Fill in the fields. Table 82: Instance Configuration Field Instance URL The instance you want to send security incidents or events to. Username Enter the name of the user who administers the application. This user must have the evt_mgmt_integration, import_transformer, and import_set_loader roles. Password Enter a password, if needed. 269

270 5. Scroll to the Security Incident/Offense Mapping section Map fields in the Security Incident [sn_si_incident] table to the associated QRadar values. To add new security incident field/value mappings, click Add New Mapping. Scroll to the Security Event/Offense Mapping section. 270

271 Map fields in the Event [em_event] table to the associated QRadar values. 11. To add new security event field/value mappings, click Add New Mapping. 12. Scroll to the Automatic Offense Transmission section. 13. Fill in the fields the Automatic Offense Transmission section. 271

272 Table 83: Automatic Offense Transmission Field Automatically create incidents for matching offenses Select this option to automatically create security incidents for offenses that match the value in the Incident filter field. Incident filter If you selected the Automatically create incidents for matching offenses check box, enter a value that determines which QRadar offenses to use to create security incidents. For example, status = OPEN and severity > 5. Automatically create events for matching offenses Select this option to automatically create events for offenses that match the value in the Incident filter field. Event filter If you selected the Automatically create events for matching offenses check box, enter a value that determines which QRadar offenses to use to create events. For example, status = OPEN and severity <= 4. Authorized service token Enter a valid QRadar service token to be used for automatic offense transmission. The service token must have been granted access to look up offenses via the REST API. Note: The incident and event filters must be valid QRadar filters to the Offense API. If you defined the Automatic Offense Transmission options, all offenses that meet the defined criteria create the associated records and transmits them to the instance. If you did not define these configuration options, you can create security incidents and/or events manually. 14. Scroll to the Proxy Configuration (Optional) section. Note: If you do not require proxy support, skip this step. 272

273 15. Fill in the fields the Proxy Configuration section. Table 84: Proxy Configuration Field Proxy URL Enter the URL of the proxy server. The server must be an HTTP/ HTTPS proxy. Requests to the instance are passed through this URL as a proxy. If a URL is not provided, requests are made directly to the instance. This field should also contain help text that shows the correct format of the URL and specifies that this is necessary only if QRadar sits behind a proxy server. Proxy username If the proxy server requires authentication, enter a user name to be used for basic authentication. This field should also contain help text to describe the purpose of the field. Proxy password If the proxy server requires authentication, enter a password to be used for basic authentication. 16. Click Save. Manually create security incidents and events from QRadar offenses You can convert QRadar alerts into security incidents manually. Role required: sn_si.admin The Security Incident Response and Security Incident Response Event Management support plugins must be activated Log in to your QRadar instance. Click the Offenses tab. Locate and open the alert you want to convert. 273

274 4. Open the offense record you want to Navigate to Plug-ins > Integration > Configure Integration. 5. Perform one of these procedures. 6. To convert the alert into a security incident and transmit it to, click Create Security Incident. To convert the alert into a security event and transmit it to, click Create Security Event. A confirmation box appears. Click OK. The Notes section records that the offense was sent to as a security incident or an event. QRadar integration orchestration workflows and activities The base system includes workflows and workflow activities you can use to integrate QRadar with your instance. How the workflows work When the Configuration item, Source IP, and/or Destination IP fields in a security incident are modified, a business rule called QRadar Enrichment causes the QRadar Integration Security Incident Enrichment workflow to orchestrate invocation of the second workflow, Security Operations QRadar Integration - Run Enrichment for IP. This secondary workflow makes the calls 274

275 to QRadar depending on the field(s) that were modified. The enriched data is then added to the security incident work notes. Note: If the Use default workflows check box in the QRadar Configuration screen is not selected, the workflows does not run. QRadar Integration - Run Enrichment for IP workflow When the QRadar Integration - Run Enrichment for IP workflow is executed, REST calls are defined based on modifications made to certain fields in a security incident. 275

276 Figure 13: QRadar Integration - Run Enrichment for IP workflow The workflow includes the following activities: 276

277 Collect QRadar Configurations activity on page 277 Get Source IP Addresses activity on page 279 Get Local Dest IP Addresses activity on page 278 Build QRadar Enrichment Work note activity on page 277 Build QRadar Enrichment Work note activity The Build QRadar Enrichment Worknote workflow activity adds QRadar enrichment work notes based on the results of API calls. Input variables Input variables determine the initial behavior of the activity. Table 85: Input variables Variable source_ip_response [array] The inputs for these variables are passed from the Get Source IP Addresses activity on page 279. Array element types: source_ip id event_flow_count offense_ids [array] The system identifier for a QRadar offense. Array element type: [string] local_destination_ip_response [array] Array element types: The inputs for these variables are passed from the Get Local Dest IP Addresses activity on page 278. local_destination_ip event_flow_count id originating_field_label [string] Output variables The output variables contain data that can be used in subsequent activities. Table 86: Output variables Variable worknote [string] The summary passed to the security incident used to document enriched data, including the number of offenses and event flows. Collect QRadar Configurations activity 277

278 The Collect QRadar Configurations workflow activity is used in the QRadar Integration - Run Enrichment for IP workflow (included in the base system) to get the QRadar configuration settings defined for the integration. Output variables The output variables contain data that can be used in subsequent activities. Table 87: Output variables Variable endpoint_base [string] The base URL for QRadar use_mid_server [true/false] True if QRadar proxies requests through a MID Server. service_token [string] A token created by the QRadar administrator to authenticate API users. use_default_workflows [true/false] True if the QRadar - Security Incident Enrichment workflow is used to automate the pulling of QRadar data. Get Local Dest IP Addresses activity The Get Local Dest IP Addresses workflow activity is used in the QRadar Integration - Run Enrichment for IP workflow (included in the base system) to get local destination IP addresses. Input variables Input variables determine the initial behavior of the activity. Table 88: Input variables Variable filter [string] Filter string to send to QRadar. service_token [string] The token entered in the Authorized service token field on the QRadar Configuration screen. qradar_host [string] The QRadar host entered in the Endpoint base field on the QRadar Configuration screen. use_mid [Boolean] Flag to indicate if a MID Server is to be used. It is retrieved from the Use MID server check box on the QRadar Configuration screen. 278

279 REST Execution Command Use the input variables you created to configure the command that Orchestration executes on the REST endpoint. Click Test Inputs and enter substitute values to test the variables. When the tests result in the type of API call you need, click Continue. Output variables REST output variables contain values returned from an endpoint that are available to other activities in a workflow or internally to the activity. For more information, see REST template outputs. Get Source IP Addresses activity The Get Source IP Addresses workflow activity is used in the QRadar Integration Run Enrichment for IP workflow (included in the base system) to get source IP addresses. Input variables Input variables determine the initial behavior of the activity. Table 89: Input variables Variable filter [string] Filter string to send to QRadar. service_token [string] The token entered in the Authorized service token field on the QRadar Configuration screen. qradar_host [string] The QRadar host entered in the Endpoint base field on the QRadar Configuration screen. use_mid [Boolean] Flag to indicate if a MID Server is to be used. It is retrieved from the Use MID server check box on the QRadar Configuration screen. REST Execution Command Use the input variables you created to configure the command that Orchestration executes on the REST endpoint. Click Test Inputs and enter substitute values to test the variables. When the tests result in the type of API call you need, click Continue. Output variables REST output variables contain values returned from an endpoint that are available to other activities in a workflow or internally to the activity. For more information, see REST template outputs. QRadar Integration - Security Incident Enrichment workflow When the QRadar Integration - Security Incident Enrichment workflow is executed, the REST calls identified by the QRadar Integration - Run Enrichment for IP workflow are made to QRadar. The data is enriched, and the security incident work notes are updated with results of the enrichment.. 279

280 Figure 14: QRadar Integration - Security Incident Enrichment workflow This workflow includes the following activity: Get IP Address API Filters activity on page 281 This workflow also passes QRadar filtering information based on fields in the security incident to the QRadar Integration - Run Enrichment for IP workflow on page

281 Get IP Address API Filters activity The Get IP Address API Filters workflow activity is used in the QRadar Integration - Security Incident Enrichment workflow (included in the base system) to get the API filters to be passed to IP-related API calls from a security incident to QRadar. Input variables Input variables determine the initial behavior of the activity. Table 90: Input variables Variable si_sys_id [string] The system id of the security incident. Output variables The output variables contain data that can be used in subsequent activities. Table 91: Output variables Variable affected_resource_source_ip_filter [string] Filter string sent to QRadar REST Messages to identify where affected resource IP address was used as a source IP in QRadar. affected_resource_local_dest_ip_filter [string] Filter string sent to QRadar REST messages to identify where the affected resource IP address was used as a local destination IP in QRadar. source_ip_source_ip_filter [string] Filter string sent to QRadar REST messages to identify where the Source IP address was used as a source IP in QRadar. source_ip_local_dest_ip_filter [string] Filter string sent to QRadar REST messages to identify where the source IP address was used as a local destination IP in QRadar. dest_ip_source_ip_filter [string] Filter string sent to QRadar REST messages to identify where the destination IP address was used as a source IP in QRadar. dest_ip_local_dest_ip_filter [string] Filter string sent to QRadar REST messages to identify where the destination IP address was used as a local destination IP in QRadar. no_filters_to_apply [true/false] True if there are no filters to apply. Components installed with the IBM QRadar SIEM integration Several types of components are installed with the IBM QRadar integration. Activating the QRadar Integration plugin adds or modifies several tables, user roles, and other components. 281

282 Business rules installed with IBM QRadar SIEM integration QRadar Integration adds the following business rule. Table 92: Business rules Business rule Table QRadar Enrichment Security Incident Provides the business logic to launch the QRadar - Security Incident Enrichment workflow. [sn_si_incident] Script includes installed with IBM QRadar SIEM integration QRadar Integration adds the following script include. Table 93: Script includes for QRadar Integration Script include QRadarEnrichment Script to encapsulate common QRadar enrichment functionality, such as reading configurations and processing results from QRadar REST calls. Palo Alto Networks Integration The Palo Alto Networks consists of three products you can use to identify and remediate malware: Palo Alto Autofocus, Palo Alto Firewall, and Palo Alto WildFire. Each of the products requires separate activation. Palo Alto Networks - AutoFocus integration The Palo Alto Networks - AutoFocus integration base system includes a workflow and a series of workflow activities you can use to integrate Palo Alto Networks - AutoFocus with your instance. Explore Set up Palo Alto Networks AutoFocus integration overview on page 283 integrations on page 256 Activate and configure Palo Alto Networks AutoFocus integration on page 283 Use Develop Palo Alto Networks AutoFocus Integration orchestration workflows and activities on page 284 Check and Block Value workflow on page 294 Get AutoFocus Session Info Enrichment workflow on page 284 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation Components installed with Palo Alto Networks - AutoFocus on page

283 Troubleshoot and get help Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support Palo Alto Networks - AutoFocus integration overview Palo Alto Networks - AutoFocus is a threat intelligence cloud service that provides prioritized, actionable cyberthreat intelligence. Activate and configure Palo Alto Networks AutoFocus integration The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including Palo Alto Networks - AutoFocus. Role required: sn_sec_pan.admin Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method Access Palo Alto Networks support site and obtain the API Key. Navigate to > Integration Configuration. The available security integrations appear as a series of cards In the Palo Alto Networks AutoFocus card, click Install Plugin. In the Install Palo Alto Networks AutoFocus integration dialog box, review the plugin details and click Activate. When the activation is complete, click Close & Reload Form. The Security Integration screen reloads and the Configure button for the integration is available. Click Configure. Enter (or paste) the API Key you acquired from the Palo Alto Networks support site. Click Submit

284 Palo Alto Networks AutoFocus Integration orchestration workflows and activities The base system includes workflows and workflow activities you can use to integrate AutoFocus with your instance. Get AutoFocus Session Info Enrichment workflow When the Palo Alto Networks - Get AutoFocus Session Info Enrichment workflow is executed, it queues a search query with AutoFocus for gathering information about a specified source IP. If AutoFocus has knowledge about previous sessions originating from that IP address, a JSONformatted report is returned. Role required: sn_si.analyst The Palo Alto Networks - Get AutoFocus Session Info Enrichment workflow is executed when the Source IP field in a security incident is modified and the record is updated. The workflow fetches the IP address and submits a query request to AutoFocus. If AutoFocus has previously identified sessions originating from the IP address, a JSON-formatted report is returned. 284

285 Figure 15: Palo Alto Networks - Get Wildfire Data Enrichment workflow Navigate to Security Incident > Show Open Incidents. Click the Indicators of Compromise tab and populate the Source IPfield. Click Update. AutoFocus scans the information from the IP address and a text file in JSON format is attached to the security incident. 285

286 AutoFocus Search Session activity The AutoFocus Search Session workflow activity uploads information from an IP address assigned to a security incident to AutoFocus and queues it for a search query. When the activity executes, it queues a search query with AutoFocus for gathering information for a specified source IP. If AutoFocus has previously identified sessions originating from that IP address, a JSON-formatted report is returned. Input variables Input variables determine the initial behavior of the activity. Table 94: Input variables Variable searchsessionquery [string] The search query for session information. Output variables The output variables contain data that can be used in subsequent activities. Table 95: Output variables Variable requeststatus [Boolean] True if a search query was scheduled for execution in AutoFocus. error [string] The error, if any, that occurred in the activity. afcookie [string] An identifier for the AutoFocus search query used by the Fetch Search Results activity on page 289 to retrieve the search results. Create Enrichment Data records activity This workflow activity stores workflow output data in a table. The Create Enrichment Data records workflow activity can be used with any workflow to store workflow output data. It creates records on the sn_si_enrichment table. Input variables Input variables determine the initial behavior of the activity. Table 96: Input variables Variable task_id [string] The task identifier (task_id) of a configuration item record. 286

287 Variable content [string] The raw data coming back from running workflows in a JSON-formatted string. This JSON string is used to populate this record and the related table (sn_si_enrichment_data) records. type [string] Values can either be process or netstat. ci [string] Configuration item. Output variables The output variables contain data that can be used in subsequent activities. Table 97: Output variables Variable result [string] JSON-formatted data that is parsed and stored in name/value pairs. 287

288 288

289 Fetch Search Results activity The Fetch Search Results workflow activity fetches search results identified by a cookie to the search query initiated by the AutoFocus Search Session activity. Input variables Input variables determine the initial behavior of the activity. Table 98: Input variables Variable afcookie [string] The AutoFocus cookie for the search request generated by the AutoFocus Search Session activity on page 286. Output variables The output variables contain data that can be used in subsequent activities. Table 99: Output variables Variable searchpending [Boolean] True if the search request is still processing in AutoFocus. result [string] The search results data. status [Boolean] True if the search is completed and results have been successfully generated. error [string] The error, if any, that occurred in the activity. Write content to record as attachment activity This activity writes the content passed in from an input and creates a designated attachment to a given record. The Write content to record as attachment activity can be used with any workflow to write content and attach it to a record. Input variables Input variables determine the initial behavior of the activity. Table 100: Input variables Variable tablename [string] The table name for the record. This input field is mandatory. 289

290 Variable sysid [string] The system identifier (sys_id) of a task record. This input field is mandatory. payload The plain text content to be written as an attachment. This input field is mandatory. filename The attachment file name. Output variables The output variables contain data that can be used in subsequent activities. Table 101: Output variables Variable result [string] Indicates whether the update was successful. Components installed with Palo Alto Networks - AutoFocus Several types of components are installed with the Activate Palo Alto Networks AutoFocus integration. Palo Alto Networks - AutoFocus adds or modifies a business rule and a script include. Script includes installed with Palo Alto Networks AutoFocus integration Palo Alto Networks - AutoFocus integration adds the following script includes. Table 102: Script includes for Palo Alto Network AutoFocus Integration Script include AutoFocusService A service class for fetching information using the AutoFocus APIs. Business rules installed with Palo Alto Networks AutoFocus integration Palo Alto Networks - AutoFocus integration adds the following business rule. Table 103: Business rule for Palo Alto Network AutoFocus Integration Business rule Tables AutoFocus Search Session for Source IP Security Incident Triggers a workflow to enrich source IP session information from AutoFocus. [sn_si_incident] Palo Alto Networks - Firewall integration To perform Palo Alto Networks - Firewall integration, ensure that you have a MID Server set up with SSH credentials. If a firewall is not already set up, add one. 290

291 Explore Set up Palo Alto Networks Firewall integration overview on page 291 integrations on page 256 Develop Activate and configure the Palo Alto Networks Firewall Integration on page 292 Set up SSH credentials to the MID Server on page 291 Use Palo Alto Networks Firewall Integration orchestration workflows and activities on page 294 Get Log Data workflow on page 300 Check and Block Value workflow on page 294 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation Components installed with Palo Alto Networks - Firewall on page 307 Troubleshoot and get help Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support Palo Alto Networks - Firewall integration overview The Palo Alto Networks - Firewall integration base system includes a workflow and a series of workflow activities you can use to integrate Palo Alto Networks - Firewall with your instance. Set up SSH credentials to the MID Server Palo Alto Networks Firewall sends API calls to the MID Server. As such, ensure that SSH credentials have been created for the MID Server. Role required: admin The Orchestration plugin must be activated Navigate to Orchestration > Credentials & Connections > Credentials. Click New. In the Interceptor screen, click SSH Credentials. Fill in the fields, as needed. Table 104: SSH Credentials Field Name Enter a name for the credential. Active Select this check box to activate this credential. Applies to Select All MID servers or Specific MID servers. 291

292 Field MID Servers If you selected Specific MID servers, click the lock icon and select the MID Servers you want to apply these credentials to. Order Select the order to which the credentials are tried by the server. Smaller numbers are tried first. User name Enter the user name of the user associated with these credentials, if any. Password If you entered a User name, enter the user's password. Tag Enter a tag to be used for search criteria. The Tag field should contain the same value as the Name. Activate and configure the Palo Alto Networks Firewall Integration The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including Palo Alto Networks - Firewall. Role required: sn_sec_pan.admin Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method Before activating and configuring the integration, access the Palo Alto Networks Firewall dashboard. Take note of the names of the IP Dynamic List, URL Dynamic List, or Domain Dynamic List you are using for firewall blocking. Navigate to > Integration Configuration. The available security integrations appear as a series of cards. In the Palo Alto Networks Firewall card, click Install Plugin. In the Install Palo Alto Networks Firewall integration dialog box, review the plugin details and click Activate. 292

293 5. 6. When the activation is complete, click Close & Reload Form. The Security Integration screen reloads and the Configure button for the integration is available. Click Configure Click Configure firewalls. In the Firewall Configurations screen, click New. Fill in the fields on the form, as appropriate. Field Firewalls Click the lock icon and select the firewall to be configured. Firewall Version Select the Palo Alto Networks Firewall version. PAN-OS-7.1 is the recommended version. Selecting earlier versions may return inconsistent results. Username Enter the username to use when connecting to the firewall via REST endpoints. 293

294 Field Password Enter the password for the connecting user. IP Dynamic List Enter the name of the External Dynamic List or Dynamic Block List you use for IP addresses. URL Dynamic List Enter the name of the External Dynamic List or Dynamic Block List you use for URLs. Domain Dynamic List Enter the name of the External Dynamic List or Dynamic Block List you use for domains. 10. Click Submit. Palo Alto Networks Firewall Integration orchestration workflows and activities The base system includes workflows and workflow activities you can use to integrate Firewall with your instance. Check and Block Value workflow As security incidents are created to isolate potential malware, you can use the Palo Alto Networks - Check and Block Value workflow to automatically check IP addresses, URLs, and domains using External Dynamic Lists defined in Palo Alto Networks - Firewall. Role required: sn_si.analyst The Palo Alto Networks - Check and Block Value workflow is executed when Firewall Block Requests are submitted. The block request specifies the firewall to be used, the type of file to be checked and blocked (if needed), and the block value. That is, the IP address, URL, or domain in question. During workflow execution, commands defined under Palo Alto Networks Integration > Firewall > Commands are run. The Show type commands (for example, Show-IP-ExternalDynamicList) determine whether the value exists on the firewall. The Refresh type commands (for example, Refresh-IPExternalDynamicList) adds ones that do not exist on the firewall to the block list. After the Blocked Status activity executes, approval by a system administrator is required before the workflow can proceed. 294

295 295

296 2. 3. Click New. Fill in the fields on the form, as appropriate. Field Firewall Select the firewall to be used. Block Type Select the type of value to be checked: Block Value 4. IP URL DOMAIN Enter the value of the selected type to be checked on the firewall. Click Submit. Palo Alto Firewall: Block Request Status activity This activity is called by other activities to set the Firewall block request status to success or failure. Input variables Input variables determine the initial behavior of the activity. Table 105: Input variables Variable firewallblockrequestsysid [string] The system id of the firewall block request. This input variable is mandatory. status [string] Indicates whether the refresh job ran: success or failure. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. Table 106: Output variables Variable result [string] Indicates whether the success or failure of the refresh job. Palo Alto Firewall: Block Value activity After the workflow has identified a value that is not on the firewall, the record is routed for approval. Upon approval, this activity connects to the MID Server via your SSH credentials and invokes a script that adds the value to the firewall External Block List. 296

297 Input variables Input variables determine the initial behavior of the activity. Note: You must manually enter the input variables for this activity and then publish the workflow. If the workflow is not published, the input variables will not be saved for non-admin users. Table 107: Input variables Variable tobeblockedvalue [string] The value to be added to the EDL if not already present. This input variable is mandatory. typetobeblocked [string] The type of value to be blocked: IP, URL, or Domain. This input variable is mandatory. targethost [string] The MID Server on which the script is executed. SSHCredentialTag [string] The SSH credential tag defined on the MID server. scriptcommand [string] The AppendValueToList.sh script used to add the value to the EDL. It requires the full path to the MID Server. Output variables The output variables contain data that can be used in subsequent activities. Table 108: Output variables Variable result [string] The result passed to the EDL. Palo Alto Firewall: Blocked Status activity This activity checks if the value (IP, URL, or domain) is included in its respective External Dynamic List/ Dynamic Block List (EDL/DBL) on firewall. The EDL/DBL details are obtained from the firewall using an operational command, and a routine is performed to check if the value is blocked on the firewall. Input variables Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory. Table 109: Input variables Variable valuetobechecked [string] The value in the block request. 297

298 Variable showedldetailscommand [string] The External Dynamic List command being used to determine whether the value exists on the firewall. FirewallIpAddress [string] The IP address of the firewall used. FirewallApiKey [string] The firewall API key. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as data dynamically generated using the Palo Alto Firewall Operational Command API message. Table 110: Output variables Variable commandresult [string] The results from the firewall for the show EDL Details command. blockedstatus [Boolean] True indicates blocked. False indicates not blocked. commandresponse [string] The response status obtained from the firewall for the show EDL Details Command. Palo Alto Firewall: Get API Key activity This activity retrieves the API key from the firewall. Input variables Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory. Table 111: Input variables Variable Username [string] The user name of the firewall administrator. Password [string] The firewall administrator password. FirewallIpAddress [string] The IP address of the firewall. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. 298

299 Table 112: Output variables Variable APIKey [string] The firewall API key. Palo Alto Firewall: Get Firewall Config activity The Palo Alto Firewall: Get Firewall Config workflow activity gets all the related firewall configuration information from the database, and makes it available for use by the subsequent activity. Input variables Input variables determine the initial behavior of the activity. Table 113: Input variables Variable firewallsysid [string] The system id of the firewall. This input variable is mandatory. typeofvaluetobeblocked [string] The type of value to be blocked on the firewall: IP, URL, or Domain. firewallipaddress [string] The IP address of the firewall. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. Table 114: Output variables Variable ipedlname [string] The External Dynamic List name for IP addresses. urledlname [string] The External Dynamic List name for URLs. domainedlname [string] The External Dynamic List name for domains. firewallversionsysid [string] The system id for the firewall version. refreshedlcommand [string] The command to be used to refresh the EDL from the source. ShowEDLDetailsCommand [string] The command to be used to get the EDL details. status [Boolean] True indicates success. False indicates failure. error [string] The error, if any, that occurred in the activity. endpoint [Encrypted] The encrypted endpoint from the database. Palo Alto Firewall: Refresh EDL/DBL activity 299

300 This activity executes an operational command on the firewall to refresh the External Dynamic List from the source configured on the firewall. The output of this activity indicates whether the Refresh job has been queued up. Input variables Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory. Table 115: Input variables Variable FirewallIpAddress [string] The IP address of the firewall being refreshed. FirewallApiKey [string] The refreshed firewall API key. FirewallCommand [string] The operational command to be executed to queue up the refresh job. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. Table 116: Output variables Variable activity.output.result [string] A text string to indicate whether refresh job was queued to run: success or failure. Get Log Data workflow If Security Incident Response, Threat Intelligence, and Palo Alto Networks - Firewall are activated, the Palo Alto Networks - Get Log Data workflow automatically executes when the Source IP for observables in a security incident is changed. Role required: sn_si.analyst During workflow execution, firewall configuration information is retrieved from the database and the API Key is retrieved from the firewall. The Get Log activity queues up a search query on the firewall. When the query runs, it returns a Job ID that is used to retrieve threat logs data from the firewall. It attaches the log data as an XML file to the security incident. 300

301 301

302 Click the Security Incident Observables tab. In Source IP, add or modify the IP address. Click Update. The Palo Alto Networks - Get Log Data workflow executes and enriched threat log data is attached to the security incident. The information is also parsed and displayed in the Firewall Logs section under the Enrichment Data tab. Create Enrichment Data records activity This workflow activity stores workflow output data in a table. The Create Enrichment Data records workflow activity can be used with any workflow to store workflow output data. It creates records on the sn_si_enrichment table. Input variables Input variables determine the initial behavior of the activity. Table 117: Input variables Variable task_id [string] The task identifier (task_id) of a configuration item record. content [string] The raw data coming back from running workflows in a JSON-formatted string. This JSON string is used to populate this record and the related table (sn_si_enrichment_data) records. type [string] Values can either be process or netstat. ci [string] Configuration item. Output variables The output variables contain data that can be used in subsequent activities. Table 118: Output variables Variable result [string] JSON-formatted data that is parsed and stored in name/value pairs. 302

303 303

304 Palo Alto Firewall: Get API Key activity This activity retrieves the API key from the firewall. Input variables Input variables determine the initial behavior of the activity. All input variable entries listed are mandatory. Table 119: Input variables Variable Username [string] The user name of the firewall administrator. Password [string] The firewall administrator password. FirewallIpAddress [string] The IP address of the firewall. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. Table 120: Output variables Variable APIKey [string] The firewall API key. Palo Alto Firewall: Get Firewall Config activity The Palo Alto Firewall: Get Firewall Config workflow activity gets all the related firewall configuration information from the database, and makes it available for use by the subsequent activity. Input variables Input variables determine the initial behavior of the activity. Table 121: Input variables Variable firewallsysid [string] The system id of the firewall. This input variable is mandatory. typeofvaluetobeblocked [string] The type of value to be blocked on the firewall: IP, URL, or Domain. firewallipaddress [string] The IP address of the firewall. 304

305 Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. Table 122: Output variables Variable ipedlname [string] The External Dynamic List name for IP addresses. urledlname [string] The External Dynamic List name for URLs. domainedlname [string] The External Dynamic List name for domains. firewallversionsysid [string] The system id for the firewall version. refreshedlcommand [string] The command to be used to refresh the EDL from the source. ShowEDLDetailsCommand [string] The command to be used to get the EDL details. status [Boolean] True indicates success. False indicates failure. error [string] The error, if any, that occurred in the activity. endpoint [Encrypted] The encrypted endpoint from the database. Palo Alto Firewall: Get Log activity The Palo Alto Firewall: Get Log workflow activity schedules a query on the firewall to retrieve logs and returns a JobID used to retrieve the log data. Input variables Input variables determine the initial behavior of the activity. Table 123: Input variables Variable FirewallIpAddress [string] The IP address of the firewall. This input variable is mandatory. FirewallApiKey [string] The API access key of the firewall. This input variable is mandatory. FirewallLogType [string] The type of log data to be retrieved (set to threat). This input variable is mandatory. FirewallLogFilterQuery [string] The query to be executed to search for logs on the firewall. This input variable is mandatory. LogDirection [string] Specifies whether logs are shown oldest first (backward) or newest first (forward) order. LogNumber [string] Specifies the number of logs to retrieve. 305

306 Variable LogSkipCount [string] Specifies the number of logs to skip when doing a log retrieval. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. Table 124: Output variables Variable QueuedJobID [string] The Job ID returned from the firewall. JobScheduled [string] Specifies (success or failure) whether the job was sent to the firewall. error [string] Any errors returned. Palo Alto Firewall: Job Data Action activity After the Palo Alto Firewall: Get Log activity queues the search query to the firewall and the job runs, the Palo Alto Firewall: Job Data Action activity retrieves the threat log data from the firewall. Input variables Input variables determine the initial behavior of the activity. All input fields are mandatory. Table 125: Input variables Variable FirewallIpAddress [string] The IP address of the firewall. FirewallApiKey [string] The API access key of the firewall. JobID [string] The ID of the queued job. Output variables The output variables contain data that can be used in subsequent activities. The output consists of data from the firewall configuration, as well as dynamically generated data. Table 126: Output variables Variable commandstatus [string] Specifies (success or failure) whether data was retrieved from the firewall. JobData [string] The data collected from the firewall. 306

307 Variable error [string] Any errors returned. Write content to record as attachment activity This activity writes the content passed in from an input and creates a designated attachment to a given record. The Write content to record as attachment activity can be used with any workflow to write content and attach it to a record. Input variables Input variables determine the initial behavior of the activity. Table 127: Input variables Variable tablename [string] The table name for the record. This input field is mandatory. sysid [string] The system identifier (sys_id) of a task record. This input field is mandatory. payload The plain text content to be written as an attachment. This input field is mandatory. filename The attachment file name. Output variables The output variables contain data that can be used in subsequent activities. Table 128: Output variables Variable result [string] Indicates whether the update was successful. Components installed with Palo Alto Networks - Firewall Several types of components are installed with the Activate Palo Alto Networks Firewall integration. Activating Palo Alto Networks - Firewall adds or modifies several tables, user roles, and other components. Tables installed with Palo Alto Networks - Firewall Palo Alto Networks - Firewall adds the following tables. 307

308 Table 129: Tables Table Firewall Block Request Used to process firewall block requests. sn_sec_pan_firewall_block_request Firewall Command Used to store firewall check and block commands. sn_sec_pan_firewall_command Firewall Command Type Used to store firewall command types. sn_sec_pan_firewall_command_type Firewall Configuration Stores firewall configuration settings. sn_sec_pan_firewall_config Firewall Version Used to store the versions of firewalls employed. sn_sec_pan_firewall_version Business rules installed with Palo Alto Networks - Firewall Palo Alto Networks - Firewall adds the following business rules. Table 130: Business rules Business rule Table Firewall Get Threat Log for Source IP Security Incident Retrieves the threat log from the firewall when the Source IP field changes. Trigger Firewall Block Request Firewall Block Request [sn_si_incident] Queues up the firewall block request. sn_sec_pan_firewall_block_request Script includes installed with Palo Alto Networks - Firewall Palo Alto Networks - Firewall adds the following script include. Table 131: Script include for Palo Alto Network Firewall Integration Script include PaloAltoFirewallConfigService A service class for fetching information using the Firewall APIs. Roles installed with Palo Alto Networks - Firewall Palo Alto Networks - Firewall adds the following roles. 308

309 Table 132: Roles Role title [name] Contains roles Palo Alto Networks Admin Palo Alto Networks applications. sn_sec_pan.read Ability to read Palo Alto Networks records. None Can read and write Palo Alto Networks records. sn_sec_pan.read [sn_sec_pan.admin] Palo Alto Networks Read [sn_sec_pan.read] Palo Alto Networks User [sn_sec_pan.user] Palo Alto Networks - WildFire integration Palo Alto Networks - WildFire is a cloud-based application that interacts with your system firewall. Explore Set up Palo Alto Networks WildFire integration overview on page 309 integrations on page 256 Activate and configure the Palo Alto Networks WildFire integration on page 310 Use Develop Palo Alto Networks WildFire Integration orchestration workflows and activities on page 310 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation Components installed with Palo Alto Networks - WildFire on page 319 Troubleshoot and get help Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support Palo Alto Networks - WildFire integration overview The Palo Alto Networks - WildFire Integration base system includes a workflow and a series of workflow activities you can use to integrate Palo Alto Networks - WildFire with your instance. For more information on Wildfire, see the Palo Alto Networks Wildfire portal. 309

310 Activate and configure the Palo Alto Networks WildFire integration The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including Palo Alto Networks - WildFire. Role required: sn_sec_pan.admin Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method. The Threat Intelligence plugin [com.snc.threat] must be installed before you can activate and configure WildFire Access the Palo Alto Networks support site and obtain the API Key. Navigate to > Integration Configuration. The available security integrations appear as a series of cards In the Palo Alto Networks WildFire card, click Install Plugin. In the Install Palo Alto Networks WildFire integration dialog box, review the plugin details and click Activate. When the activation is complete, click Close & Reload Form. The Security Integration screen reloads and the Configure button for the integration is available. Click Configure. Enter (or paste) the API Key you acquired from the Palo Alto Networks support site. Click Submit Palo Alto Networks WildFire Integration orchestration workflows and activities The base system includes workflows and workflow activities you can use to integrate WildFire with your instance. Get WildFire Data Enrichment workflow When the Palo Alto Networks - Get WildFire Data Enrichment workflow is executed, a hash file is uploaded to WildFire. The data is enriched, and reports are downloaded to the instance to aid in processing potential malware attacks. Role required: sn_si.analyst The Palo Alto Networks - Get WildFire Data Enrichment workflow is executed when a security incident is created from an alert received from the Palo Alto Network Firewall application. 310

311 A malware hash from the notification received from Firewall is entered on the IoC tab of the security incident, and the record is updated. 311

312 Figure 18: Palo Alto Networks - Get WildFire Data Enrichment workflow 1. Navigate to Security Incident > Show Open Incidents. 312

313 Based on the notification received from Firewall, locate and open the security incident that was created. Click the Indicators of Compromise tab and populate the Malware hash with the hash you received in the alert. Click Update. The workflow causes the hash file to be uploaded to WildFire where the data is enriched. Reports in the PDF and XML formats are attached to the record (security incident or IoC) in your instance to aid in processing potential malware attacks. Note: If the enriched data includes packet capture information, PCAP information is also downloaded. PCAP data captures what actions the file was performing. For example, it can report on what servers the file was contacting. To view PCAP files, you need a packet analyzer, such as Wireshark. 313

314 Figure 19: Sample PDF generated by Wildfire 314

315 Create Enrichment Data records activity This workflow activity stores workflow output data in a table. The Create Enrichment Data records workflow activity can be used with any workflow to store workflow output data. It creates records on the sn_si_enrichment table. Input variables Input variables determine the initial behavior of the activity. Table 133: Input variables Variable task_id [string] The task identifier (task_id) of a configuration item record. content [string] The raw data coming back from running workflows in a JSON-formatted string. This JSON string is used to populate this record and the related table (sn_si_enrichment_data) records. type [string] Values can either be process or netstat. ci [string] Configuration item. Output variables The output variables contain data that can be used in subsequent activities. Table 134: Output variables Variable result [string] JSON-formatted data that is parsed and stored in name/value pairs. 315

316 316

317 WildFire: get PCAP activity The WildFire: Get PCAP workflow activity gets the packet capture (PCAP) information generated during the analysis of a specified file hash on WildFire. The result of this activity is attached to a specific record as identified by the TableName and RecordId. Input variables Input variables determine the initial behavior of the activity. Table 135: Input variables Variable FileSHA256Hash [string] The hash of the file received from the Palo Alto Network Firewall application. TableName [string] The affected table. RecordId [string] The security incident or IoC being updated. Output variables The output variables contain data that can be used in subsequent activities. Table 136: Output variables Variable commandstatus [Boolean] True if a result is obtained and attached successfully. errormessage The error, if any, that occurred in the activity. WildFire: get PDF report activity The WildFire: Get PDF Report workflow activity gets the report generated during the analysis of a specified file hash on WildFire in PDF format. The result of this activity is attached to a specific record as identified by the TableName and RecordId. Input variables Input variables determine the initial behavior of the activity. Table 137: Input variables Variable TableName [string] The affected table. FileSHA256Hash [string] The hash of the file received from the Palo Alto Network Firewall application. RecordId [string] The security incident or IoC being updated. 317

318 Output variables The output variables contain data that can be used in subsequent activities. Table 138: Output variables Variable commandstatus [Boolean] True if a result is obtained and attached successfully. errormessage The error, if any, that occurred in the activity. WildFire: get XML report activity The WildFire: Get XML Report workflow activity gets the report generated during the analysis of a specified file hash on WildFire in XML format. The result of this activity is attached to a specific record as identified by the TableName and RecordId. Input variables Input variables determine the initial behavior of the activity. Table 139: Input variables Variable TableName [string] The affected table. FileSHA256Hash [string] The hash of the file received from the Palo Alto Network Firewall application. RecordId [string] The security incident or IoC being updated. Output variables The output variables contain data that can be used in subsequent activities. Table 140: Output variables Variable commandstatus [Boolean] True if a result is obtained and attached successfully. errormessage The error, if any, that occurred in the activity. Write content to record as attachment activity This activity writes the content passed in from an input and creates a designated attachment to a given record. The Write content to record as attachment activity can be used with any workflow to write content and attach it to a record. 318

319 Input variables Input variables determine the initial behavior of the activity. Table 141: Input variables Variable tablename [string] The table name for the record. This input field is mandatory. sysid [string] The system identifier (sys_id) of a task record. This input field is mandatory. payload The plain text content to be written as an attachment. This input field is mandatory. filename The attachment file name. Output variables The output variables contain data that can be used in subsequent activities. Table 142: Output variables Variable result [string] Indicates whether the update was successful. Components installed with Palo Alto Networks - WildFire Several types of components are installed with the Activate Palo Alto Networks WildFire integration. Activating Palo Alto Networks - WildFire adds or modifies several tables, user roles, and other components. Script includes installed with Palo Alto Networks WildFire integration Palo Alto Networks WildFire integration adds the following script includes. Table 143: Script includes for Palo Alto Network WildFire Integration Script include WildFireService A service class for fetching information using Wildfire APIs. Business rules installed with Palo Alto Networks WildFire integration Palo Alto Networks - WildFire integration adds the following business rule. 319

320 Table 144: Business rule for Palo Alto Network WildFire Integration Business rule Tables Malware hash enrichment Security Incident Executes the Security Operations Palo Alto Networks - WildFire Data Enrichment workflow. [sn_si_incident] Qualys Cloud Platform integration If your organization uses the Qualys Cloud Platform integration to detect vulnerabilities, you can integrate it with Vulnerability Response. When the third-party Qualys scanner detects vulnerability data, that data is imported to Vulnerability Response for tracking, prioritization, and resolution. Explore Set up Understanding Qualys Cloud Platform integration on page 321 Qualys data transformation on page 324 Essential preparations for Qualys Cloud Platform integration on page 320 Understanding Qualys Cloud Platform integration on page 321 Activate and configure Qualys Vulnerability Integration plugin on page 339 Use Develop Configure and import Qualys Vulnerability integrations on page 341 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation Troubleshoot and get help Qualys Vulnerability Integration troubleshooting on page 369 Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support Essential preparations for Qualys Cloud Platform integration A successful integration requires planning and careful execution of pre-integration tasks. It is essential that you prepare for the integration by performing these procedures. The Qualys Cloud Platform integration assumes that you are familiar with and run Qualys scans in your environment. Note: Make any necessary configuration changes based on your requirements before running the integrations. 320

321 Important prerequisites Validate your instance sizing based on the number of vulnerable items you expect to import. An undersized instance can lead to long load times. If you do not know the size of your instance, contact your representative. Use filtering to limit the number of items for initial import and phase your deployment by adjusting filters in subsequent imports. Actions to take Modify an initial start date on page 353 for Host Detection List Import integrations. Consider setting the Start time field to a few hours or days in the past. Ideally, choose the date of the last Qualys scan. The start date can include vulnerabilities discovered prior to using the vulnerability management solution. Set the earliest start time used to the start of your scanning cycle. So, if it takes a week before all hosts are scanned, set this value to a week prior to that time. Note: With default HTTP Query Parameter settings, all vulnerabilities are retrieved and a large set of data can result. Modify REST message parameters to affect data retrieval on page 348 prior to initial and delta data retrievals. To shorten load time for large data sets,../task/add-qualys-host-id-indexes.dita#add-qualys-host-idindexes. Add users to the roles for admin, sn_vuln.admin, and sn_vul_qualys.admin. For more information see,../../../administer/users-and-groups/task/t_assignaroletoauser.dita#t_assignaroletoauser If the default System Administrator account is removed or disabled, Set the integration execution user on page 369. If you do not use vulnerability calculators, Disable the default vulnerability calculator if not used on page 350, in addition to any others you have defined. Vulnerability calculators run every time a vulnerable item record is created or updated, and can impact initial import performance. During the initial import of records, certain notification-related business rules can cause many notifications to be generated, impacting performance. Prior to your initial import, Disable notificationrelated business rules prior to initial record import on page 351. If you wish to use a different scanner than the Qualys default, see Set up scanner appliances on page 362. Have your Qualys server url and authentication credentials ready. The credentials must provide adequate permissions for retrieving knowledge, scan, and detection information for a Qualys subscription. Understanding Qualys Cloud Platform integration Qualys Cloud Platform sensors collect the data and automatically send it to the Qualys Cloud Platform integration, which continuously analyzes and correlates the information. It easily integrates with Security Operations to map vulnerabilities to CIs and business services to determine impact and priority of potentially malicious threats. It drives remediation through a coordinated workflow. Primary and Supporting Integrations Qualys primary and supporting integrations enrich the vulnerability data on your instance by retrieving data from the Qualys integration. A series of scheduled jobs invoke the integrations automatically. You can also execute them manually. Scheduled jobs simplify the vulnerability remediation lifecycle by keeping the 321

322 instance synchronized with other vulnerability management systems. Primary and supporting integrations can be modified. Primary integrations A primary integration is an entry point to the Qualys Cloud Platform integration interacting with the Qualys API invoked on a schedule. View the primary integrations by navigating to Qualys Vulnerability Integration > Administration > Primary Integrations. The following primary integrations are included in the base system. Table 145: Primary integrations Integration Qualys Appliance List Integration Retrieves scanner appliance information from Qualys. Qualys Asset Group Integration Retrieves asset group information from Qualys. Asset groups are used to identify which scanner appliances to use for scanning matching configuration items. Qualys Dynamic Search List Integration Synchronizes Qualys search lists for finding vulnerable entries, and retrieves dynamic list type records. Qualys Host Detection Integration Retrieves host and vulnerability data from Qualys and processes it in your instance. It coordinates the REST message calls to the Host List Detection API. The outputs of this integration are vulnerable items. Qualys Knowledge Base Retrieves Qualys knowledge base entries. The retrieved data is based on the date the vulnerabilities were updated by Qualys and since the last time the integration ran. This data is useful for populating historical data into your instance as well as ensuring the Qualys Identifiers (QIDs) are up to date. Qualys Knowledge Base (Backfill) Retrieves Qualys knowledge base entries. Scheduled to run after the Qualys Host Detection Integration. Updates your instance with any QIDs that were referenced in the Host Detection integration but did not exist in the system. Qualys Static Search List Integration Synchronizes Qualys search lists for finding vulnerable entries. Retrieves only static list type records. 322

323 Integration Qualys Ticket Integration Retrieves Qualys tickets and adds them to your instance. It coordinates the REST message calls to the ticket list API. There are often fewer tickets than Host Detections since Qualys settings can constrain the detections that result in a ticket. Supporting integrations A supporting integration is a process that is not intended to run on a schedule nor without invocation by a primary integration. View the supporting integrations by navigating to Qualys Vulnerability Integration > Administration > Supporting Integrations. The following supporting integrations are included in the base system. Table 146: Supporting integrations Integration Asset Group Pagination Handler Directs the pagination of the Asset Group Integration. Host Detection Import Set Reprocess Integration Handles reprocessing of the Host List import set created by the Host Detection Integration. Processes detections found for each host and results in vulnerable items being inserted or updated in your instance. Host Detection Pagination Handler Directs the pagination of the Host Detection Integration. The Host List Detection API coordinates REST calls for each page request to the server. Search lists Search lists are used in Qualys to create custom groups of vulnerabilities. You can save them and use for ticket creation and to customize vulnerability scans and reports. The Search Lists module allows you to download search list data from Qualys to your instance on a scheduled basis. Search lists are pulled from Qualys using the Dynamic Search List Import and/or Static Search List Import data transformation maps. In each of these transforms, you can define schedules for performing the import. Host tags Host tags (also called asset tags) are used for organizing and tracking the assets in your organization. You can assign tags to your host assets. Then, when launching scans, you can select tags associated with the 323

324 hosts you want to scan. The Host Tags module allows you to download host tag data from Qualys to your instance on a scheduled basis. Asset data that includes host tags is pulled from Qualys using the Host Detection List Import on page 325 integration data transformation map. Qualys data transformation The data retrieved from Qualys is processed through a set of data sources and transform maps. Host Import The Qualys Host Import (cmdb_ci) transform map is used to transform data returned from the Host Detection API call to cmdb_ci records. Changes to this transform alter how the host information is processed and inserted into the system. Unmatched hosts are stored in the Qualys CIs (sn_vul_qualys_ci) table. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Host Import. The table contains the fields currently being transformed. Table 147: Qualys host import fields Source field Target field [Script] sys_id Provides logic to find an existing cmdb_ci record to update. If no existing cmdb_ci record is found, it returns null or an empty string. A new record is created. The lookupsysid() function in the QualysSimpleCITransform script include is used. u_ip ip_address Maps the IP address from the API call to the ip address field on a cmdb_ci record. u_dns fqdn Maps the DNS field from the API call to the fqdn field on a cmdb_ci record. In addition to field mappings, there are also two transform scripts that are executed during the transformation process. The table shows when these scripts run and what they are used for. 324

325 Table 148: Script timing and purpose When the script is run Purpose of the script onbefore (before the target record is inserted) Defines additional fields to populate that depend on specific data in the source data (from the API). The logic that handles this script is in the QualysSimpleCITransform script include onbeforetransformscript() function. If special processing (such as changing CI classifications) is required to fine-tune how CIs from Qualys are inserted, either the script or script include can be modified. oncomplete (after an import set has completed transformation) Reprocesses the import set for detections. For internal use. Modifying or deleting is not recommended. Host Detection List Import This transform map is used to transform the detection-specific data returned from the Qualys Host Detection API call to sn_vul_vulnerable_item records. Changes to this transform alter how the detection information is processed and inserted into the system. Note: u_port, u_protocol, and u_ssl are not used to determine a vulnerable item match and accounts for the difference between vulnerable items reported by Qualys and vulnerable items reported by. View the detection list at System Import Sets > Admin > Transform Map > Select Qualys Detection List Transform To access this transform map, click Qualys Vulnerability Integration > Import Set Tables > Host Detection List Import. The table shows the fields that are currently being transformed. Table 149: Detection list transform fields Source field Target field u_prototcol protocol Maps protocol field from API to protocol field on vulnerable item. Not used to determine a vulnerable item match. u_ip ip_address Maps ip field from API to ip_address field on vulnerable item. u_severity qualys_severity Maps severity field from API to qualys_severity field. Used to calculate priority of vulnerable item. 325

326 Source field Target field [Script] vulnerability Looks up a vulnerability. Used to determine a vulnerable item match. This field is a script field because QID needs to be appended to the ID provided by the API. [Script] last_updated_by_qualys Denotes when Qualys updated the vulnerable item. Script field that sets the value to the current date and time. u_status status Maps status field from API to status field on vulnerable item. Later translated to the state of the vulnerable item. [Script] cmdb_ci Looks up a cmdb_ci to reference on the vulnerable item. Uses a combination of Qualys host information in addition to IP, netbios, and dns values from the host. [Script] sys_id Looks up an existing vulnerable item based on host and vulnerability information. If no existing system ID is found, a new vulnerable item is created. [Script] last_found Maps the last found timestamp from the API to the last_found field on the vulnerable item. Script field to format the date for your instance. u_port port Maps the port field from the API to the port field on the vulnerable item. Not used to determine a vulnerable item match. u_dns dns Maps the dns field from the API field to the dns field on the vulnerable item. 326

327 Source field Target field [Script] first_found Maps the first found timestamp from the API to the first_found field on the vulnerable item. Script field to format the date for your instance. [Script] source Provides a source value to enter on a third-party vulnerability entry. Used as an identifier. Modifications are not recommended. u_ssl ssl Maps the ssl field from the API to the ssl field on the vulnerable item. Not used to determine a vulnerable item match. u_results description Maps the results field from the API to the description field on the vulnerable item. Knowledge Base Import The Qualys Knowledgebase Transform map is used to transform the data returned from the Qualys knowledge base API call to vulnerability records. Changes to this transform alter how vulnerability entries are processed and inserted into the system. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Knowledge Base Import. The table shows the fields currently being transformed. Table 150: Qualys Knowledge Base transform fields Source field Target field u_solution solution Maps the solution field from the API to the solution field on a third-party vulnerability entry record. [Script] last_modified Maps the last modification timestamp from the API response to the last_modified timestamp field on the thirdparty vulnerability entry. Script field because the value has to be specially formatted to translate the API date to a date recognized by your instance. 327

328 Source field Target field [Script] id Maps the ID from the API to the ID field on the third-party vulnerability entry. Script field because the ID from the API has to have a prefix (QID) added to it. [Script] source Provides a source value to enter on a third-party vulnerability entry. Used as an identifier. Modifications are not recommended. [Script] date_published Maps the date the vulnerability was published to the date_published field on the third-party vulnerability entry. Script because the value has to be specially formatted to translate the API date to a date recognized by your instance. u_category category Maps the category field from the API to the category field on the third-party vulnerability entry. u_title summary Maps the title field from the API to the summary field on the third-party vulnerability entry. u_consequence threat Maps the consequence field from the API to the threat field on the third-party vulnerability entry. u_pci_flag pci Maps the pci flag field from the API to the pci field on the thirdparty vulnerability entry. In addition to field mappings, there is also a transform script that is executed during the transformation process. The following table shows when this script runs and what it is used for. 328

329 Table 151: Qualys knowledge base (date-based) transform REST message script timing and purpose When the script is run Purpose of the script onafter (after a vulnerability entry was transformed and inserted) Processes nested values provided by the XML that are small enough not to be transformed by a separate transform map. Used to the process the software list, vendor reference list, correlation list, and CVSS values. Ticket List Import The Qualys ticket list transform map is used to transform the ticket-specific data returned from the Qualys ticket list API call to sn_vul_vulnerable_item records. Changes to this transform alter how vulnerability entries are processed and inserted into the system. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Ticket List Import. The table shows the fields currently being transformed. Table 152: Qualys ticket list transform map fields Source Field Target field u_detection_ip ip_address Maps the detection IP from the API to the ip_address field on the vulnerable item. [Script] last_updated_by_qualys Denotes when Qualys updated the vulnerable item. Script field that sets the value to the current date/time. u_vulninfo_severity qualys_severity Maps severity field from API to qualys_severity field. Used to calculate priority of vulnerable item. [Script] first_found Maps the first found timestamp from the API to the first_found field on the vulnerable item. This field is a script field because the date needs to be formatted for your instance. u_detection_dnsname dns Maps the dns field from the API to the dns field on the vulnerable item. u_detection_port port Maps the port field from the API to the port field on the vulnerable item. 329

330 Source Field Target field [Script] last_found Maps the last found timestamp from the API to the last_found field on the vulnerable item. This entry is a script field to format the date for your instance. u_detection_nbhname netbios Maps the detection netbios host name to the netbios field on the vulnerable item. [Script] vulnerability Looks up a vulnerability. This entry is a script field to append the QID to the ID provided by Qualys. [Script] source Provides a source value to enter on a third-party vulnerability entry. Used as an identifier. Modifications are not recommended. u_current_state qualys_ticket_state Maps the current state from the API to the qualys_ticket_state field of the vulnerable item. u_number qualys_ticket Maps the ticket number from the API to the qualys_ticket field of the vulnerable item. u_assignee_ qualys_assignee_ Maps the assignee from the API to the qualys_assignee_ of the vulnerable item. u_detection_ssl ssl Maps the ssl field from the API to the ssl field on the vulnerable item. u_current_status status Maps status field from API field to status field on the vulnerable item. Later translated to the state of the vulnerable item. [Script] sys_id Looks up an existing vulnerable item based on host and vulnerability information. If no existing system ID is found, a new vulnerable item is created. 330

331 Source Field Target field u_detection_protocol protocol Maps protocol field from API to protocol field on the vulnerable item. u_details_result description Maps the results field from the API to the description field on the vulnerable item. [Script] cmdb_ci Looks up a cmdb_cito reference on the vulnerable item. This entry uses a combination of Qualys IP, netbios, and dns values from the host. u_assignee_name qualys_assignee_name Maps the assignee name from the API to the qualys_assignee_name of the vulnerable item. In addition to field mappings, there is also a transform script that is executed during the transformation process. The table shows when this script runs and what it is used for. Table 153: Qualys ticket list transform map script timing and purpose When the script is run Purpose of the script oncomplete (after an import set has completed transformation). Determines if additional data should be retrieved from the API. For internal use. Modifying or deleting is not recommended. Dynamic Search List Import The Qualys dynamic search list transform map is used to transform and import Qualys Dynamic Search Lists. Changes to this transform alter how Dynamic Search Lists are processed and inserted into the system. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Dynmaic Search List Import. The table shows the fields currently being transformed. Table 154: Qualys dynamic search list transform map fields Source Field Target field u_id id Used as the identifier for the Qualys Dynamic Search List. [Script] list_type The type of search list. Dynamic is the default for the Dynamic Search List transform. 331

332 Source Field Target field u_title title The name in Qualys for this search list. In addition to field mappings, there is also a transform script that is executed during the transformation process. The following table shows when this script runs and what it is used for. Table 155: Qualys dynamic search list transform map script timing and purpose When the script is run Purpose of the script onafter (after an import set has completed transformation). Creates the relationships between Search Lists and their related vulnerabilities. For internal use. Modifying or deleting is not recommended. Static Search List Import The Qualys static search list transform map is used to transform and import Qualys Static Search Lists. Changes to this transform alter how Static Search Lists are processed and inserted into the system. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Static Search List Import. The table shows the fields currently being transformed. Table 156: Qualys static search list transform map fields Source Field Target field u_id id Used as the identifier for the Qualys Static Search List. u_title title The name in Qualys for this search list. [Script] list_type The type of search list. Static is the default for the Static Search List transform. In addition to field mappings, there is also a transform script that is executed during the transformation process. The following table shows when this script runs and what it is used for. 332

333 Table 157: Qualys static search list transform map script timing and purpose When the script is run Purpose of the script onafter (after an import set has completed transformation). Creates the relationships between Search Lists and their related vulnerabilities. For internal use. Modifying or deleting is not recommended. Asset Group Import The Qualys Asset Group Appliance Transform map is used to transform Qualys Asset Group data to create scanner appliance records. Changes to this transform alter how scanner appliances are created and modified. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Asset Group Import. The table shows the fields currently being transformed. Table 158: Qualys asset group transform map fields Source Field Target field u_id id Used as identifier for the Qualys Asset Group. [Script] manual Scripted value to determine how the target record was created. When created through transforms, this field is always false. [Script] ips The IP addresses that are associated with the asset group being transformed. u_default_appliance_id appliance_id The Qualys appliance identifier for the default appliance in this asset group. u_title asset_group_name The name of the Qualys asset group. In addition to field mappings, there is also a transform script that is executed during the transformation process. The following table shows when this script runs and what it is used for. 333

334 Table 159: Qualys asset group transform map script timing and purpose When the script is run Purpose of the script onbefore (before an import set has completed transformation). The script that constrains the asset group imports to only asset groups with a default appliance and a set of mapped IP addresses. For internal use. Modifying or deleting is not recommended. Appliance Import The Qualys Appliance Transform map is used to transform Qualys Appliance data into appliance records. This is used to update the appliance records that would initially be created from the Asset Group Import. Changes to this transform alter how appliance records are updated with appliance details. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Appliance Import. The table shows the fields currently being transformed. Table 160: Qualys appliance transform map fields Source Field Target field u_name appliance_name The name of the Qualys scanner appliance. u_status appliance_status The last reported status of the Qualys scanner appliance. u_id appliance_id The Qualys appliance identifier. In addition to field mappings, there is also a transform script that is executed during the transformation process. The following table shows when this script runs and what it is used for. Table 161: Qualys appliance transform map script timing and purpose When the script is run Purpose of the script onbefore (before an import set has completed transformation). Used to update appliance names and statuses for the given ID. For internal use. Modifying or deleting is not recommended. Host Detection Pagination Import The Qualys host detection pagination transform map is used to transform the pagination element required to process additional pages of Host Detection data. Changes to this transform alter how multiple pages of data from the Qualys Host Detection import are processed. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Host Detection Pagination Import. There are two transform scripts executed during the transformation process. 334

335 The following table shows when each script runs and what they are used for. Table 162: Qualys host detection pagination transform map script timing and purpose When the script is run Purpose of the script onbefore (before an import set has completed transformation). Ignores the record. This transform is used to invoke an auxiliary process, not to import or transform data directly. For internal use. Modifying or deleting is not recommended. onstart (when an import set has started transformation) Function to invoke a Host Detection Pagination Handler to start importing the next page of Qualys data. For internal use. Modifying or deleting is not recommended. Asset Group Pagination Import The Qualys asset group pagination transform map is used to transform the pagination element required to process additional pages of Asset Group data. Changes to this transform alter how multiple pages of data, from the Qualys Asset Group import, are processed. To access this transform map, navigate to Qualys Vulnerability Integration > Import Set Tables > Asset Group Pagination Import. There are two transform scripts executed during the transformation process. The following table shows when each script runs and what they are used for. Table 163: Qualys asset group pagination transform map script timing and purpose When the script is run Purpose of the script onstart (when an import set has started transformation) Ignores the record. This transform is used to invoke an auxiliary process, not to import or transform data directly. For internal use. Modifying or deleting is not recommended. onbefore (before an import set has completed transformation). Function to invoke an Asset Group Pagination Handler to start importing the next page of Qualys data. For internal use. Modifying or deleting is not recommended. Qualys REST messages Qualys REST messages are used to make calls to the Qualys API. 335

336 Qualys Host Detection REST message The Qualys Host Detection REST message makes the initial call to the Host List Detection API for the Qualys Host Detection Integration. Table 164: Qualys host detection REST message parameters Parameter Name Value action list Indicates the type of operation requested. Required parameter. Changes are not required. output_format XML Sets the format of the report returned by Qualys. The various scripts and transforms assume XML, so changes to the value are not recommended. detection_updated_since ${lastscandate} Shows only detections whose detection status changed after a certain date and time. For detections that have never changed the date is applied to the last detection date. truncation_limit 500 The number of hosts to retrieve data from, per request. This parameter is used for pagination purposes. The default value is 500, but larger or smaller values can be used. Do not set at less than 100 since it significantly increases system load. Smaller values require more calls to the Qualys API and larger values result in larger result sets to process and potential data retrieval/ processing timeouts. 336

337 Parameter Name Value status New, Fixed, Active, Re-opened Detection statuses to retrieve from Qualys. The default is to retrieve all statuses. For large data pulls (often the initial pull of data), it can be beneficial to exclude Fixed statuses from this list. It is important to include the Fixed status when updating vulnerabilities already in the system. Qualys host detection pagination REST message The Host Detection Pagination REST message handles pagination requests to the Host Detection API. When the primary host detection runs, if the Qualys API provides a URL to fetch the next page of data, this REST message retrieves that additional data. This data is used by Host Detection Pagination Handler. Host detection pagination REST is a specialized REST message and is not intended to be modified. Qualys knowledge base (backfill) REST message The Qualys Knowledge Base (Backfill) REST message retrieves Qualys knowledge base data based on the last modified timestamp of the vulnerability data for the Qualys Knowledge Base integration. Changes to the REST message method record impact the request made to Qualys to retrieve knowledge base information. The following table shows the request parameters that are sent. Table 165: Qualys knowledge base (backfill) REST message parameters Parameter Value action list Indicates the type of operation being requested. Required parameter. Changes are not recommended. details All Indicates the level of detail shown for vulnerabilities retrieved. Safe to modify as needed. 337

338 Parameter Value ids ${qids} Specifies which QIDs to retrieve from Qualys. Referenced in code. Modifications are not recommended. Qualys knowledge base (date-based) REST message The Qualys Knowledge Base (Date-Based) REST message is used to retrieve Qualys knowledge base data based on the last modified timestamp of the vulnerability data. This message is used by the Qualys Knowledge Base integration. Changes to the REST message method record impact the request made to Qualys to retrieve knowledge base information. The following table shows the request parameters that are sent. Table 166: Qualys knowledge base (date-based) REST message parameters Source Field Target Field action list Indicates the type of operation requested. Required parameter. Changes are not recommended. details All Indicates the level of detail shown for vulnerabilities retrieved. Safe to modify as needed. last_modified_after ${datestart} Indicates when to start retrieving historical data. Used by code to determine both the start time and to assist with pagination. Modifications or removal is not recommended. last_modifiedbefore ${dateend} Indicates when to end retrieving historical data. Used by code to determine both the end time and to assist with pagination. Modifications or removal is not recommended. 338

339 Qualys tickets REST message The Qualys tickets REST message retrieves Qualys ticket information for the Qualys Ticket Integration. Changes to the REST message method record impact the requests made to Qualys to retrieve ticket information. The table shows the request parameters that are sent. Table 167: Qualys tickets REST message parameters Parameter Name Value modified_since_datetime ${lastrundatetime} Indicates the last run date of the integration and the date after which to pull data. Used by code. Changes are not recommended. since_ticket_number ${lastticketnumber} Indicates which ticket was last retrieved from Qualys. Used for pagination. Changes are not recommended. show_vuln_details 1 Indicates whether the vulnerability details are retrieved. Activate and configure Qualys Vulnerability Integration plugin The Security Integration feature allows you to quickly activate and set up third-party security integrations, including Qualys Cloud Platform. Before the Qualys Cloud Platform integration can be used, you must activate the plugin, set your API credentials, and set an initial start date. Qualys Vulnerability integration requires an installed Vulnerability Response plugin. Both are available as separate subscriptions. Role required: sn_sec_cmn.admin Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method. If you choose the traditional method of activation, the Qualys card recognizes the installation and displays the Configure button. Proceed to Step Navigate to > Integration Configuration. The available security integrations appear as a series of cards. 339

340 In the Qualys card, click Install Plugin. In the Install Qualys integration dialog box, review the plugin details and click Activate. When the activation is complete, click Close & Reload Form. The Security Integration screen reloads and the Configure button for the integration is available. Click Configure. Fill in the fields on the form, as appropriate. Field Primary API Server URL The URL to the Qualys API server. Primary User Name The API user name to be used for Basic Auth REST message authentication. Primary Password The API password to be used for Basic Auth REST message authentication. Initial Scan Start Time Set the start date and time for the Qualys Ticket List Import on page 329 and Host Detection List Import on page 325 integrations. Note: If the date is left empty, no data is returned on the first run. Set the value to a maximum of 30 days in the past or just prior to your last Qualys scan. This value prevents large amounts of data from exceeding the Qualys API rate limitations, as well as triggering execution timeouts. The start date can also be set later using the Primary Integrations module. 340

341 Field Pull Qualys historical knowledge Select this check box to retrieve Qualys knowledge base entries. The retrieved data is based on the date that Qualys updated the vulnerabilities and since the last time the integration ran. This field can be useful for populating historical data into your instance as well as for ensuring the QIDs are up to date. Historical knowledge base information can also be pulled later using the Primary Integrations module. Number of days of knowledge base data to retrieve per API request The maximum number of days worth of vulnerability data included in each pull from the Qualys Knowledge Base. For example, imagine a new installation has a backlog of 3 years worth of vulnerability data and this property is set to 365. Each pull includes one year worth of data. This field defaults to 365. Max number of QIDs to pull per API request when backfilling vulnerability data The maximum number of Qualys ID records that can be pulled per API request when you are backfilling vulnerability data. The pull is scheduled to run after the Qualys Host Detection Integration. It updates your instance with any QIDs that were referenced in the Host Detection integration, but did not previously exist. Default Scanner Appliance Leave blank unless you are not using the default Qualys Cloud Platform scanner appliance. This appliance is used if no better scanner appliance is found for the IP addresses being scanned. Scan Options Profile Leave blank unless you are not using the default Qualys Cloud Platform scan options profile. Created in the Qualys Cloud Platform application, the scan options profile defines the settings to use for all scans run using that profile. Qualys recommends creating profiles with custom settings for different types of Qualys Cloud Platform scans. 7. Click Submit. Configure and import Qualys Vulnerability integrations When configuring the Qualys integrations, remember to approach them in incremental steps. Starting small, helps to debug any issues. 341

342 After the Qualys Cloud Platform integration and Vulnerability Response plugins are activated, you can configure the system to make data retrieval more flexible and scalable. Note: Make any necessary configuration changes based on your requirements before running the integrations. The recommended order of execution is to first configure and import the Qualys Knowledge Base, then configure and perform an initial Qualys Host Detection import and finally configure your delta Qualys Host Detection imports. If you choose to use them, Qualys Ticket Integration and Knowledge Base (Backfill) instructions are provided. Note: While the Qualys Vulnerability integration creates integrations for Appliance List, Asset Group, Dynamic Search List, and Static Search List, they are not required for normal operation. Qualys Knowledge Base import The Qualys Knowledge Base import creates records within Vulnerability Response and initially tests your Qualys integration configuration. Role required: sn_vul_qualys.admin The default number of days to retrieve Knowledge Base records initially is 365 days. Depending on your system, you may want to specify more or fewer days but, it is not recommended Switch to the Qualys Vulnerability Integration scope. Disable the Qualys Ticket Integration, as it is not required and provides only minimal additional data. If you are using the QualysGuard remediation ticketing system, move any special auto-assignment functionality into. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Knowledge Base and open it. The settings for this integration are ready for a run. The base system contains five data sources which pull data in parallel. Adding data sources increases parallel processing but are not normally necessary for the Knowledge Base. Click the Integration Details tab and set the Start time field to :00:00 342

343 Note: This process can be time consuming. On average, allow it to run for about 30 minutes Right click in the header to save the record. Pull historical data by clicking Execute Now. Return to Qualys Vulnerability Integration > Primary Integrations > Qualys Knowledge Base. The Vulnerability Integration Runs related tab displays the run. It should show Running under State unless there was an error. For an error, open the run and the error message is shown under Note. Navigate to Vulnerability > Administration > Import Queue to see the run processing. Sort by Queued on descending (z to a) to see the progress. Refresh the screen using the All link at the top of the screen. Entries processing or successfully processed show that your API credentials are good and the integration is working. Navigate to Vulnerability > Third-party to see the imported QIDs and verify that the Knowledge Base was imported. 343

344 14. Navigate to Qualys Vulnerability Integration > Primary Integrations > Vulnerability Integration Runs and click on a record. 15. Sort Number in descending order to see the latest import and how far along you are in the run. Click the condition link at the top of the page to refresh. Blue circles next to the State, End date time, Substate, and Notes fields, indicate that the run has ended, succeeded, and the fields have been updated. You have tested of your credentials, your connection to the Qualys Cloud Platform integration, and the import of the Qualys Knowledge Base. You are ready to import vulnerabilities. Qualys initial Host Detection import The Qualys initial host detection integration imports records for remediation. Role required: sn_vul_qualys.admin This task is the initial host detection import. It should be kept small to test the system. Note: When a regular vulnerability is promoted to a third-party vulnerability, its severity_flag is set to true. The schedule job, Run severity calculator after vuln entry promotion runs every 30 minutes and selects all vulnerable items with a severity_flag set and recalculates business impact. The Qualys vulnerability integration also has scheduled jobs which query and load Qualys vulnerability integration scans in the instance Disable notification-related business rules prior to initial record import on page 351 if appropriate. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration and open it. By default, the scheduled job is set to run at 2:00 every day. You can change it under the Schedule tab. Click on the Qualys REST Details tab. Thousands of detection records could be available for import, so to limit the amount of data retrieved from Qualys,Modify REST message parameters to affect data retrieval on page 348. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration Click on the Integration Details tab. Verify the start time. It contains the value you entered on the Configure screen during activation from Integration Configurations. Note: Once the initial run completes, this date is set to the current time. 9. Click Save. 10. Pull initial host detection data by clicking Execute Now. Note: You can cancel the import from the Vulnerability Integration Run tab on this form any time while it is running. 11. Navigate to Vulnerability > Administration > Import Queue and open it. 12. You should see Qualys Host Import and Qualys Host Detection Pagination entries. Click on an entry to see it and also an attachment containing the original Qualys data. This import creates configuration items (CIs) and/or vulnerable items (VIs). 13. To view unmatched CIs, enter sn_vul_qualys_ci.list in the left navigation search box. 344

345 14. To view VIs, navigate to Vulnerability > Vulnerable Items Vulnerability Groups are created based on Vulnerabilities. 15. You can delete a vulnerability integration run from the Vulnerability Integration Run tab on the integration form found under Qualys Vulnerability Integration > Primary Integrations. 16. You are ready to remediate or go on to configure your delta imports. Qualys delta Host Detection imports The Qualys delta host detection integration imports updated records for remediation. Role required: sn_vul_qualys.admin Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration and open it. By default, the scheduled job is set to run at 2:00 every day. You can change it under the Schedule tab. Click on the Qualys REST Details tab. Modify REST message parameters to affect data retrieval on page 348 using the delta import parameters. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Host Detection Integration Click on the Integration Details tab. Verify the start time. If you change it click, Save. Pull host detection data by clicking Execute Now. Note: You can cancel the import from the Vulnerability Integration Run tab on this form any time while it is running. 9. Navigate to Vulnerability > Administration > Import Queue and open it. 10. You should see Qualys Host Import and Qualys Host Detection Pagination entries. Click on an entry to see it and also an attachment containing the original Qualys data. This import creates configuration items (CIs) and/or vulnerable items (VIs). 11. To view unmatched CIs, enter sn_vul_qualys_ci.list in the left navigation search box. 12. To view VIs, navigate to Vulnerability > Vulnerable Items Vulnerability Groups are created based on Vulnerabilities. 13. You can delete a vulnerability integration run from the Vulnerability Integration Run tab on the integration form found under Qualys Vulnerability Integration > Primary Integrations. 14. You can make optional Qualys modifications as appropriate to your environment. 15. You are ready to view reports remediate or perform a Qualys Ticket import on page 345. Optional Qualys Vulnerability imports More Qualys integrations are available, though not commonly used. Qualys Ticket import You can configure theis integration for scheduled data retrieval. This import is optional and its data are stored and treated as vulnerable items by Vulnerability Response. Role required: sn_vul_qualys.admin 345

346 Note: This integration should only be performed after you have configured and run both the Knowledge Base and Host Detection imports. If you disabled Qualys ticket integration, reenable before you begin Navigate to Qualys Vulnerability Integration > Administration > Primary Integrations. Open the Qualys Ticket Integration record. Click the Integration Details tab, and set the Start time to the initial date from which you want to begin retrieving data. Save the record and, optionally, click Execute Now. Disable the Qualys ticket integration The Qualys Ticket Integration is not required and provides only minimal additional data. If you are using the QualysGuard remediation ticketing system, consider moving any special auto-assignment functionality into. Role required: admin Change scope to Qualys Vulnerabilty Integration. Navigate to Qualys Vulnerability Integration > Administration > Primary Integrations. Search for Qualys Ticket Integration Double-click true in the Active column for Qualys Ticket Integration and set to false. Click the check mark. Qualys Knowledge Base (Backfill) import The Qualys Knowledge Base (Backfill) import creates records within Vulnerability Response. This import is optional and its data are stored and treated as third-party vulnerable items by Vulnerability Response. Role required: sn_vul_qualys.admin Determine the maximum number of QIDs to pull per API request before backfilling vulnerability data. Note: This integration should only be performed after you have configured and run both the Knowledge Base and Host Detection imports Switch to the Qualys Vulnerability Integration scope. Disable the Qualys Ticket Integration, as it is not required and provides only minimal additional data. If you are using the QualysGuard remediation ticketing system, move any special auto-assignment functionality into. Navigate to Qualys Vulnerability Integration > Primary Integrations > Qualys Knowledge Base (Backfill) and open it. The settings for this integration are ready for a run. The base system contains five data sources which pull data in parallel. Adding data sources increases parallel processing but are not normally necessary for the Knowledge Base (Backfill). Click the Integration Details tab and set the Start time field to :00:00 346

347 Note: This process can be time consuming. On average, allow it to run for about 30 minutes Right click in the header to save the record. Pull historical data by clicking Execute Now. Return to Qualys Vulnerability Integration > Primary Integrations > Qualys Knowledge Base (Backfill). 9. The Vulnerability Integration Runs related tab displays the run. It should show Running under State unless there was an error. For an error, open the run and the error message is shown under Note. 10. Navigate to Qualys Vulnerability Integration > Primary Integrations > Vulnerability Integration Runs and click on a run. 11. Sort Number in descending order to see the latest import and how far along you are in the run. Click the condition link at the top of the page to refresh. 347

348 Blue circles next to the State, End date time, Substate, and Notes fields, indicate that the run has ended, succeeded, and the fields have been updated. Optional Qualys modifications Configure optional modifications and streamline some of the data specifically for the Qualys Vulnerability integration. Set Qualys API credentials If the Qualys Cloud Platform integration plugin was not installed using the Integration Configurations page, you can still supply the API server and authentication information to use when making REST calls to the Qualys server. Role required: admin You are asked to enter API credentials when you first access the integration. The credentials must provide adequate permissions for retrieving knowledge, scan, and detection information for a Qualys subscription. Note: The Primary credentials are the recommended default. The New button is an advanced feature and used to add credentials. To use additional credentials, all Primary and Supporting integration records (Qualys REST Details tab) must be updated with them Navigate to Qualys Vulnerability Integration > Administration > API Credentials. Click the Primary record. Fill in the fields on the form, as appropriate. Table 168: Security incident Field Name Name assigned to the integration. API Server URL The URL of the Qualys API server. Click the lock icon to unlock this field and enter the URL. When finished, click the lock icon again. 4. User name The API user name to use for Basic Auth REST message authentication. Password The API password to use for Basic Auth REST message authentication. Click Update. Modify REST message parameters to affect data retrieval You can have specific requirements that the default REST message parameters sent to Qualys during data requests be modified to filter the imported data. Role required: admin 348

349 You can adjust the query parameters for both initial and delta data retrievals. Qualys defined valid parameters in their API documentation. Do not alter any existing field values that use template syntax formatting. The integration code uses these fields Navigate to Qualys Vulnerability Integration > Administration > Primary Integrations. Open the Qualys Host Detection Integration record. To change the related REST message parameters, click the Qualys REST Details tab, and navigate to the REST method reference Double-click the icon to open the record. Choose the HTTP Request tab. Create or update the HTTP Query Parameters as needed. a) For initial and delta data retrievals, use the Query parameter severities to reduce the number of records retrieved. Qualys severities values Parameter Values severities 3,4,5 3=serious, 4=critical, and 5=urgent These values should be used to create a vulnerable item record. severities 1,2 1=minimal, 2= medium These values are informational and may not be needed in the instance. Note: Ensure that you want these detections to be pulled into. b) Add detection_updated_since to HTTP parameters. Use ${lastscandate} for value and 125 for Order. Displays detections whose status changed after a specified date and time. Detections that have never changed use the last detection date. c) Delete vm_scan_since. d) For initial data retrieval, change the HTTP Query Parameter value for status to New,Active,ReOpened (no spaces). e) For delta data retrievals, change the HTTP Query Parameter for status to New,Fixed,Active,Re-Opened (no spaces). Note: Only bring in Fixed detection records when there is a business requirement to have all history in. 349

350 f) Click Update. View and modify outbound REST messages Outbound REST messages retrieve data that is then processed through a set of data sources and transformed by transform maps. Outbound REST messages and methods are provided with base configurations and are sufficient usually. You can modify or add parameters depending on the needs of your organization. Role required: web_service_admin Data retrieval uses REST to make calls to the Qualys knowledge base REST API and the Qualys Host List Detection REST API. The returned data is processed by../../../administer/import-sets/concept/ c_datasources.dita#c_datasources and Transform maps Navigate to System Web Services > Outbound > REST Message to view the REST messages. You can adjust the filter to show relevant REST messages. For a full list of acceptable API parameters, see the Qualys API documentation ( Open and edit the REST message you want to edit. Disable the default vulnerability calculator if not used If you do not use vulnerability calculators, it is best to disable the default calculators in addition to any others you have defined. Vulnerability calculators run every time a vulnerable item record is accessed, and can impact instance performance. Role required: admin Navigate to Vulnerability > Administration > Vulnerability Calculator Groups. Open the Vulnerability Criticality group. Open the Score and Service Based Impact calculator. Deselect the Active field to deactivate the calculator. Click Update. 350

351 Disable notification-related business rules prior to initial record import During the initial import of records, certain notification-related business rules can generate many notifications, impacting performance. These business rules should be modified to disable them during the import. Role required: admin Navigate tosystem Definition > Business Rules. Search for Affected ci notifications. Open the business rule and insert this condition: current.sys_class_name!= sn_vul_vulnerable_item". Click Update. Repeat this procedure for the following business rules: Affected cost center notifications Affected group notifications Affected location notifications Note: After the completion of the initial record import, you have the option of re-enabling these business rules. However, consider leaving them disabled. They can generate large numbers of notifications and impact the performance of your instance. Add Qualys host identification indexes When large CMDBs are present, the data import and transformation can take a very long time. One possible cause is a slow matching of Qualys assets to configuration items in the CMBD. To improve data load time performance, add an index on the Qualys ID and the Qualys Host ID. Role required: admin When large cmdbs are present, the data import and transformation can take a long time. One cause is the slow match of Qualys assets to configuration items in the cmdb Navigate to Systems Definition > Tables. Open the Configuration Item [cmdb_ci] table. Scroll down and click the Database Indexes related list. Click New and add and individual index for Qualys ID. 351

352 Click Create Index. Repeat for Qualys Host ID Close the Database Indexes window. A new dialog box appears. You cannot enter an address unless the Database Indexes window is closed Enter an address or choose Do not notify me. Click OK. It can take a while to process. If you did not request an , check the Database Indexes related tab. 352

353 Modify an initial start date Set an initial start date for the Qualys Ticket List Import and Host Detection List Import integrations. You can also set an initial start date for Qualys ticket the knowledge base. This date is not used, however, for pulling historical data from the knowledge base. Role required: sn_vul_qualys.admin Navigate to Qualys Vulnerability Integration > Administration > Primary Integrations. Click Qualys Host Detection Integration. Click Integration Details. Set the Start time field to a value in the past, so all scanned and detected vulnerabilities since that time are detected. If you configuredqualys Cloud Platform integration using the quick-start, the Start time field is prefilled. Note: If the date is left empty, no data is returned on the first run. Set the value to a maximum of a month in the past. This keeps large amount of data from exceeding the Qualys API rate limitations, as well as triggering execution timeouts Click Submit or Update. Optional: Click Execute Now to run immediately. Advanced Qualys configurations and modifications Configure advanced optional modifications and streamline some of the data specifically for the Qualys integration. Most of these modifications require coding or advanced or Qualys Cloud Platform expertise. Add dot-walk fields from your third-party table to your vulnerable item form Adds dot-walk fields to your vulnerable item from your third-party table to use in choice lists, scripts and so on. 353

354 Role required: admin The Vulnerability(vulnerability_task) field references the Vulnerability(sn_vul_vulnerability) table. The QID information imported from Qualys is put in the third-party Vulnerability Entries (sn_vul_third_party_entry) table. The third-party Vulnerability Entries table is extended from the Vulnerability table, and the third-party table contains fields that are not in the Vulnerability table Navigate to Vulnerability > Vulnerabilities > Vulnerable Items. Right click on a hamburger menu of any of the columns in the Vulnerable Items list to bring up the Configure menu and choose Dictionary. 354

355 3. 4. In the Dictionary Entries list, click New. Fill in the fields on the form, as appropriate: 355

356 Once you enter a Type, the other choices become available. Table 169: Dictionary Entries Field Table Defines the table in which the element is created. Pre-filled with Vulnerable Item [sn_vulnerable_item]. Do not change. Type Enter Reference. Defines the field type of column that the dictionary entry represents. Column label Enter Third-Party Entry. Defines a unique label for the column. The label appears on list headers and form fields for the column. When you create a new column, the column name is populated automatically based on the label, which is prefixed with u_ to indicate that it is custom. Column name u_third_party_entry is generated automatically. Max length Provides a logical limit for the size of string fields to determine how the system displays them in the user interface. Also how to map them to physical database data types. Application Pre-filled with Qualys Vulnerability Integration. Do not change. Active Check the box to activate the entry. Enables or disables the field. Read only Determines whether users can change the field value. When this check box is selected, users cannot change the value. The data for the field is calculated and displayed by the system. Mandatory Determines whether this field must contain a value to save a record. Display Indicates that this field is the display value for reference fields. Table 170: Dictionary Entry tabs Tab Reference Specification* Enter Third-Party Entry Makes the field into a../../../administer/ field-administration/concept/ c_referencefield.dita#c_referencefield. Choice List Specification Allows users to see a list of suggested values. 356

357 Tab Default value Allows you to specify a default value that is generated dynamically based on a dynamic filter. Click Submit. Navigate to System Import Sets > Administration > Transform Maps Search for the Qualys Detection List Transform map in the list and open. Click New under the Field Maps tab to add a new field mapping. a) Change Target field to Third-Party Entry. b) Check the Use source script box. c) Edit the Source script as follows: answer = (function transformentry(source) { var qid = "QID-" + source.u_qid.tostring(); return qid; })(source); 9. Click Submit. The target field u_third_party_entry appears in the Field Maps list. Add a source field Adds a field to show the source of the Vulnerable Item. Role required: admin Note: Ensure that you are in the Qualys Vulnerability Integration scope Navigate to Vulnerability > Vulnerabilities > Vulnerable Items. Right click on a hamburger menu of any of the columns in the Vulnerable Items list to bring up the Configure menu and choose Dictionary. 357

358 3. 4. Click New on the Dictionary Entries form. Fill in the fields on the form, as appropriate: 358

359 Once you enter a Type, the other choices become available. Table 171: Dictionary Entries Field Table Defines the table in which the element is created. Pre-filled with Vulnerable Item [sn_vulnerable_item]. Do not change. Type Enter Choice. Defines the field type of column that the dictionary entry represents. Column label Enter Source. Defines a unique label for the column. The label appears on list headers and form fields for the column. When you create a new column, the column name is populated automatically based on the label, which is prefixed with u_ to indicate that it is custom. Column name u_source is generated automatically. Max length Provides a logical limit for the size of string fields to determine how the system displays them in the user interface. Also how to map them to physical database data types. Application Pre-filled with Qualys Vulnerability Integration. Do not change. Active Check the box to activate the entry. Enables or disables the field. Read only Determines whether users can change the field value. When this check box is selected, users cannot change the value. The data for the field is calculated and displayed by the system. Mandatory Determines whether this field must contain a value to save a record. Display Indicates that this field is the display value for reference fields. Table 172: Dictionary Entry tabs Tab Reference Specification* Makes the field into a../../../administer/ field-administration/concept/ c_referencefield.dita#c_referencefield. Choice List Specification Allows users to see a list of suggested values. 359

360 Tab Default value Allows you to specify a default value that is generated dynamically based on a dynamic filter Click on the Advanced View related link. Under the Choices tab, click New. Enter Qualys in the Label text box. Enter qualys in the Value text box Click Submit. Navigate to System Import Sets > Administration > Transform Maps Search for Qualys Detection List Transform Click New under the Field Maps tab to add a new field mapping. Add new field mapping. a) Change Target field to Source. b) Check the Use source script box. 360

361 c) Edit the Source script as follows: answer = (function transformentry(source) { return Qualys })(source); 14. Click Update. Modify the Qualys to priority and state mapping values Modify mapping values for priority and state for your requirements. Role required: admin This is an advanced customization option Navigate to System Definition > Business Rules. Search for Map Qualys Values and open it. Click the Advanced tab. Modify per your requirements. The most common modifications include adding new state values or revising criticality or priority. 5. Click Update. Restrict the ability to write to a record based on an assignment group You can restrict write/read rights on records based on membership to an assigned group. Modify conditions and script based on specific requirements. Role required: security_admin (elevated role from admin) Note: This action is performed in the Vulnerability scope Navigate to System Security > Access Control (ACL). Search for ACLs that start with sn_vul. Choose an Access Control record, for example, sn_vul_vulnerable_item, Operation write. Check the Advanced box in the record, if necessary, to display the Role entries. Modify the Role script for your requirements. Script Example of modifying access by group. answer = (current.assigned_to == gs.getuserid() ismemberofforscopedapp(current.assignment_group)); // Note: standard 'ismemberof' does not work within Scoped App // gs.getuser().ismemberof(current.assignment_group); function ismemberofforscopedapp(groupid){ var result = false; if (groupid!= ''){ var userid = gs.getuserid(); var gr = new GlideRecord("sys_user_grmember"); gr.addquery("group", groupid); gr.addquery("user", userid); gr.query(); if (gr.next()){ result = true; } } return result; 361

362 } 6. Click Update. Set up scanner appliances If you are initiating scans from, instead of directly from Qualys, you can set up scans for IP address ranges. The data comes from the Qualys integration based on Qualys asset groups and their related default appliances. If a default appliance is not specified on the Integration Configuration form, the appliance from the associated Qualys asset group is used. Role required: sn_vul_qualys.admin Navigate to Qualys Vulnerability Integration > Scanner Appliances. Fill in the fields on the form, as appropriate. Field Appliance name Enter the name for the Qualys scanner appliance to be used for invoking scans for matching configuration items. If you have manually created records that do have an Appliance ID provided, the appliance name is used. Appliance ID Enter the appliance identifier for the Qualys scanner appliance to be used for invoking scans for matching configuration items. If you entered both an Appliance name and an Appliance ID, the identifier is used. Appliance status Displays the last status of the scanner appliance on the data returned by the Qualys integration. For manually created records, the status is updated only if a valid Appliance ID is specified. Asset group ID Displays the Qualys asset group identifier that created this record. This field displays a value only for records created by the Qualys integration. Asset group name Displays the Qualys asset group name that created this record. This field displays a value only for records created by the Qualys integration. Order Enter a value to be used for determining scanning priority. For appliance that have conflicting criteria, an appliance with a lower order value is given a higher priority. Manually created Indicates whether this record was created manually by the user. Use filter group Select this check box to specify a filter group for finding matching configuration items for scanning. 362

363 3. Field Filter group Select the filter group you want to use for finding matching configuration items for scanning. This field appears only if you selected Use filter group. IPs A comma-separated list of IP addresses or ranges of IP addresses to be used by this appliance when invoking scans. Click Update. Extend the Qualys scanner The Qualys scanner included with the base system provides a baseline integration to initiate scans based on IP addresses. Qualys provides a REST API to launch scans. You can view and edit the outbound REST message sent to Qualys. Role required: web_service_admin Navigate to System Web Services > Outbound > REST Message. Locate and click Qualys-VMScan-Default If needed, modify the Endpoint host address to match a different Qualys endpoint. In the HTTP Methods related list, click post. Edit the Basic auth profile field with valid Qualys credentials for your organization. Modify the endpoint and various query parameters to launch a scan that meets the needs of your organization. Note: The IP query parameter is the only parameter that is scan-specific and updated by the scanner implementation. 7. Click Update. Threat and solution summary from an associated vulnerability You can combine the threat and solution information from the referenced Vulnerability into a summary field on the vulnerable item. Role required: admin Navigate to Vulnerability > Vulnerable Items. Select a vulnerable item Right click in the header to bring up the Configure menu. From the Configure menu, choose Dictionary. Click New. Fill in the fields on the form, as appropriate. See../../../administer/data-dictionary-tables/reference/ r_dictionaryentryform.dita#r_dictionaryentryform 7. Navigate to System Import Sets > Administration > Transform Maps 8. Search for Qualys Detection List Transform 9. Click on the Field Maps tab. 10. Add new field mapping. See../../../script/server-scripting/task/t_CreatingAFieldMap.dita#taskyvmpfj3p. a) Check the Use Source Script box. b) Set target field to Vulnerability Summary 363

364 c) Enter Source Script: answer = (function transformentry(source) { var gr = new GlideRecord('sn_vul_third_party_entry'); gr.get('id','qid-'+source.u_qid); if ((gr.threat) && (gr.threat!= 'undefined')) { return '<h1>threat:</h1><br>' +gr.threat+'<br><br><h1>solution:</ h1><br>'+gr.solution; } else return; })(source); 11. Click Submit. Set ignore host detection updates if no state changes You can ignore host detection when no state changes are made. Role required: admin Navigate to System Import Sets > Administration > Transform maps. Navigate to Qualys Detection List Transform Transform Map and open it. Click on the Transform Scripts tab. a) Create or edit an onbefore transform script. Its only function is to update target records if the incoming Qualys status value is different from the target record. Here is an example of an onbegin script: (function runtransformscript(source, map, log, target /*undefined onstart*/ ) { //Collect values from the Source record and build query to find matching VI record var ip = source.u_ip; var dns = source.u_dns; var netbios = source.u_netbios; var qid = source.u_qid; var port = source.u_port; var vul = new GlideRecord("sn_vul_entry"); if (!vul.get("id", "QID-" + qid)) { return null; } else { var gr = new GlideRecord("sn_vul_vulnerable_item"); var encoded = "vulnerability=" + vul.getuniquevalue(); if (!gs.nil(port)) { encoded += "^port=" + port; } else { encoded += "^portisempty"; } var appendor = false; if (!gs.nil(ip)) { if (appendor) { encoded += "^ORip_address=" + ip; } else{ encoded += "^ip_address=" + ip; appendor = true; } } if (!gs.nil(dns)) { if (appendor) { encoded += "^ORdns=" + dns; } else { 364

365 encoded += "^dns=" + dns; appendor = true; } } if (!gs.nil(netbios)) { if (appendor) { encoded += "^ORnetbios=" + netbios; } else { encoded += "^netbios=" + netbios; } } gr.addencodedquery(encoded); gr.query(); while (gr.next()) { //Check to see if Status has changed - Build State/Status Mapping Object if (!source.u_status.nil()){ var statemap = {"new": 1,"active": 1,"re-opened": 1,"reopened": 1,"fixed": 3}; var ignoredsubstates = ["1", "2", "3"]; var currentstate = gr.state + ""; var currentsubstate = gr.substate + ""; var currentstatus = (source.u_status + "").tolowercase(); var expectedstate = 0; if (statemap.hasownproperty(currentstatus)) { //If Source Status = Fixed then Close Vulnerable Item record if (currentstatus == "fixed") { expectedstate = 3; } //If Target State = Closed and Target Substate value is not in the IgnoredSubstates Array - Run Status value through State Map. else if (currentstate == 3 && ignoredsubstates.indexof(currentsubstate) < 0){ expectedstate = statemap[currentstatus]; } //If Target State = Pending Confirmation - Run Status value through State Map else if (currentstate == 10) { expectedstate = statemap[currentstatus]; } //If Target State = Ignored and Target Substate = Fixed - Run Status value through State Map, Else ignore else if (currentstate == 12 && currentsubstate == 4){ expectedstate = statemap[currentstatus]; } //If Target State = New or Analysis - Run Status value through State Map, Else ignore else if (currentstate == 1 currentstate == 2){ expectedstate = statemap[currentstatus]; } } }//If No Mapping State value was returned and Target State is In Review and the Source Status was not Fixed - Ignore transform row if (expectedstate == 0 && currentstate == 11){ ignore = true; info ="Record is in Review and has not been fixed, row ignored! "; log.info( info ); } //If Target State/Status is the same as the Source State/Status Ignore transform row else if (gr.status.tolowercase() == currentstatus && gr.state == expectedstate){ 365

366 ignore = true; info ="No state change, row ignored! "; log.info( info ); } } } } })(source, map, log, target); 4. Click Submit or Update, as appropriate. Create a custom outbound REST message for Qualys If needed, you can create your own outbound REST message to send to Qualys. Role required: web_service_admin Navigate to Vulnerability > Vulnerability Scanning > Scanners. Locate and open the Qualys scanner. In the Scanner factory script, modify the parameter that is passed to QualysVulnerabilityScanner to the name of the REST message that you want to use. For example, if you created a REST message named MyQualys-REST, the field value is new sn_vul.qualysvulnerabilityscanner("myqualys-rest"). Note: The REST message passed to the Qualys vulnerability scanner must be available to the Vulnerability scope. 4. Click Update. If you have more complex scanning requirements, but still want to use the existing scanner implementation, you can extend the Qualys Vulnerability Scanner that is provided. For example, to change how the REST message is built and sent to Qualys, create a script include that extends QualysVulnerabilityScanner and provide a new implementation for the _buildscanrequest function. Find components installed with your application Several types of components are installed with applications. Activating a Security Operations plugin adds or modifies several tables, user roles, properties, script includes, business rules, and other components. Role required: admin Note: If application administration is active, you need both the admin and application admin roles (for example, sn_vuln.admin) Ensure your plugin is activated. In the filter navigator, type sys_metadata.list and press Enter. You are taken to the Application Files page Click the to personalize the form to add the Package column. In the Go to field, choose Display name and enter your plugin name. Security Incident Vulnerability Threat Intelligence 366

367 Right-click one of the items in the Package column and select Show Matching. In the Class column heading, click the and select Group by Class. Select the class of information you want to view. For example, click Class:Table to view all tables installed with the plugin. 367

368 368

369 Qualys Vulnerability Integration troubleshooting Some commonly encountered issues, along with workarounds are discussed. Qualys Host detection import workaround The following task is only applicable for instances on Helsinki Patch 9 and earlier, or Patch 5 and earlier. Role required: admin Note: The detection_template.xml is available in the KB article, KB For instances on Helsinki Patch 9 and earlier, or Patch 5 and earlier, PRB is an issue with the XML data loader. If certain elements are not contained in the first 10 records of the XML data, those elements not processed. The issue is seen in the Qualys Host Detection Integration where elements (such as nullable values like Port or the SSL flag) appear to be missing. This workaround is for the Qualys Host Detection Integration, specifically Log in as an admin on the affected system. Load, Preview, and Commit the following update set: Qualys_Host_Detection_tpl_update_set.xml Navigate to Qualys Vulnerability Integration > > Supporting Integrations Select Host Detection Import Set Reprocess Integration Attach the following file to the Host Detection Import Set Reprocess Integration record: detection_template.xml Attachments not appearing after import If attachments are not appearing as expected for data sources or on a security incident after third-party integration imports, check your IP restrictions. IP access restrictions can prevent attachments from being seen unless you are logged in from a safe IP. Since a new attachment is added with each import, this can result in duplicates you have to remove. For example, when you run a third-party host import integration, if you do not see any attachments on your data sources, check your IP restrictions and add users to the safe list prior to import. Set the integration execution user A run-as user must be specified to prevent inconsistent transform results, only when the default System Administrator account is removed or disabled, Roles required: sn_vul_qualys.admin, import_admin, and sn_vul.vulnerability_write The Qualys integrations are executed as extensions of sysauto_script. There is a configured run-as user for each integration record. The default value for this user is System Administrator. If you removed or disabled the default System Administrator account, the run-as values for each integration record must be changed to another user, with the following roles: sn_vul_qualys.admin, import_admin, and sn_vul.vulnerability_write. This user needs access to data sources, transform maps, and vulnerability data. Note: Failing to set a valid run-as user orphans data retrieval attachments on the data source records, every time the integration runs. Multiple attachments are stored on the data source increasing processing time, resulting in inconsistent transform results. 1. Add specified roles to a selected alternate system user. For more information see../../../administer/ users-and-groups/task/t_assignaroletoauser.dita#t_assignaroletoauser 369

370 Navigate to Vulnerability > Administration > Primary Integrations. Click the gear icon at the top left of the list. In the Personalize List Columns dialog box, add the Run as field to the list. Click OK. For each of the Qualys integrations listed, change the Run as user to the user with the listed roles to run the integrations. Repeat steps 1 through 3 for Supporting Integrations. Modify transform maps Transform maps are provided with base configurations and are sufficient usually. You can modify transform mappings depending on the needs of your organization. Role required: sn_vul_qualys.admin + import_admin Navigate to at System Import Sets > Administration > Transform Maps to view the REST messages. Filter the resulting list by application, and limit the list to the Qualys Vulnerability Integration application. Modify the transform maps per the customer requirements. For details on the data provided by the Qualys API, see the Qualys API documentation ( Check XML attachment property size Verifies that the XML attachment property is sufficient for large files. Role required: admin Navigate to System Properties > Import Export. Scroll down to Import Properties > XML Format at the bottom of the page. 3. If necessary, change the value to 250 and click Save. 370

371 CI import customization When a CI is imported and does not match an existing CI (matching is based on Qualys identifiers, IP, NetBIOS, and DNS name), the default behavior is to create a cmdb_ci record. Modifying the corresponding transform map can change this behavior. The transform map that controls this behavior is Qualys Host Import (cmdb_ci). The easiest modification is to change the target table and corresponding field mapping values to map any additional fields that exist. The more customizable, but complex, approach is to modify the onbefore Transform Script to do additional custom mappings, such as mapping to OS classifications based on the Qualys OS. Be cautious when using this approach not to interfere with basic transform functionality. Data retrieval limitations By default, there are no restrictions on how data is retrieved from Qualys. Many records can be related to low severity vulnerabilities that a customer is not willing to remediate using their vulnerability response process. Updating the corresponding REST message/method parameters can modify this behavior. The REST message/method responsible for this update is Qualys Host Detection Standard/post. To update the values, add a new HTTP Query Parameter to the post method with the following values: Name: severities Value: 3-5 (or whatever appropriate severities are desired) Duplicate vulnerable items If you see duplicate vulnerable items (multiple vulnerable items, all pointing to the same Configuration Item and Vulnerability Entry), and the duplicate vulnerable items share the same creation timestamp, a concurrency issue might be the cause. Role required: admin Navigate to System Definition > Business Rules. Search for Process Vulnerability Attachments [sn_vul_ds_import_q_entry]. Set Active to false. Navigate to System Definition > Scheduled Jobs. Search for Scheduled Vulnerability Data Source Processor. Open and click Configure Job Definition related link. Set Repeat interval 2 minutes. Click Update or Execute Now, as appropriate. Qualys Vulnerability Integration reporting The Qualys Cloud Platform integration overview is an executive view into vulnerability activity. By providing trends, reports, and drill-downs into specific data, an administrator or analyst can quickly pinpoint areas of concern. The charts are populated with data after vulnerable items and Qualys knowledge base data has been retrieved. Note: Using the Qualys Cloud PlatformVulnerability integration assumes that tuning, testing and deployment have occurred in your instance. These functions are areas beyond the scope of product documentation. For assistance, contact your representative. 371

372 In each chart, you can point to any part of a chart (bar, pie, data point, and so on) to view general data specific to that part. If you click any part of a report, a list opens to provide detailed information. Figure 20: Sample Qualys Vulnerability Integration chart The following reports are available on the Qualys Cloud Platform integration homepage. 372

373 Table 173: Qualys Vulnerability Integration Overview reports Name Visual CIs Synchronized With Qualys Bar Displays the number of open vulnerable items recorded for each CI, from most to least. Open Qualys Vulnerable Items Bar Displays the number of open vulnerable items associated with vulnerabilities (CVE records), from most to least. Total Qualys Vulnerable Items Bar Displays the number of ignored vulnerable items scheduled to be expired within 7 days. Vulnerable Items by Priority Trend Displays the number of vulnerability entries recorded each week. QID Prevalence Bar Displays the number of vulnerable items recorded for each model, from most to least. Open Qualys Vulnerable Items List Displays the number of vulnerable items recorded for each publisher, from most to least. add-on for Splunk integration When Splunk is integrated with the applications, you can seamlessly create security incidents or events from Splunk events, alerts, and logs. After you have downloaded the add-on for Splunk from Splunkbase, you are ready to use the integration to create the desired security records. Explore Set up add-on for Splunk overview on page 374 integrations on page 256 Download the application on page 374 Install the addon for Splunk on page 374 Splunk integration setup on page 374 Set up or change the instance where incidents or events are created on page 374 Use Develop Specify security events or security incidents to be created when an alert is fired Create a multi-record, custom field Splunk alert on page 377 End User Licence Agreement on page 378 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation 373

374 Troubleshoot and get help Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support add-on for Splunk overview The add-on for Splunk allows a Splunk software administrator to collect data from and create incidents and events in. It is installed from Splunkbase. Splunk integration setup Setup procedures for the add-on for Splunk include downloading the addon file in Splunk, installing the add-on, and setting up the instance where security incidents and events are created. Required role Before performing Splunk integration setup procedures, be sure to define an integration user with the sn_si.integration_user and sn_si.analyst roles on your instance. Additionally, in order to perform imports, you need the import_transformer role to obtain read and write permission to the security tables. The sn_si.integration_user role should be defined with the import_transformer portion of the role. Download the application The first step in setting up the -to-splunk integration is to download the Security Operations application from Splunkbase Open Splunkbase. Search for Integration. Download the application. Install the add-on for Splunk Install the add on for Splunk to link Splunk to Open Splunk. Click either the Apps gear icon, or the Manage Apps shortcut menu item. Click Install app from file. Click Choose File, select sn_sec_ops.spl, and click Upload. If prompted, restart Splunk. The add-on for Splunk is installed and ready to be set up. Set up or change the instance where incidents or events are created To set up or change the instance where new security incidents and security events are created, use the Setup action in the application list Open Splunk. Click either the Apps gear icon, or the Manage Apps shortcut menu item. 374

375 In the list of applications, click the Set up action for the Integration. Provide the URL, user name, and password. The user name and password are for the integration user created in. Click Save. Manual search commands Manual search commands are entered from any Search window. You can create a security incident or event. After the command, there are pairs of field names and values used to create the desired record. Security event command The security event command, snsecevent, creates an event in with the Security classification. These events can be reviewed on their own, or alert rules within or manual actions can turn an event or collection of events into a security incident. The following example defines the required parameters, as well as some additional data, and shows the result (no error message) after a successful run. If the event becomes a security incident and each parameter is sent into the event, this data is used to populate the security incident as follows: Parameter Name Required Use Use in Security Incident node Yes The node represents the server or configuration item for the event. Ideally, this node maps to an existing CI within. Affected CI Short description type Yes The category of event. Short description resource Yes The configuration item. Short description source No The origination of this data. By default, the Splunk server generates the data. Activity log external_url No The drilldown URL to use in to get back to the Splunk data regarding this event. By default, this URL contains the result link for any alert, or a link to the default Splunk search page. External URL accessed via the Drilldown button on the Security Incident form 375

376 Parameter Name Required Use Use in Security Incident All other values (category, subcategory in the example) No Any field that is not part of the information field in the event. If a security incident is created, it is used. If the field exists, and is not populated, the security incident uses that value. For example, the category passed through the Event becomes the category of the new security incident. If a field with this name does not exist, the value is placed in the activity log. Security incident command The Security Incident command, snsecincident, creates a Security Incident in your instance. Parameter Required Use short_description Yes A short, one line description of the incident. category No The category of the security incident. If this category does not exist, it is created. subcategory No The subcategory. If this subcategory does not exist, it is created. cmdb_ci No The configuration item for the security incident. Ideally, this item maps to an existing CI within. description No The longer, detailed description of the incident. There are many possible useful columns anything in the Security Incident transform map can be used. If new columns are added to the security incident, they too are used, as long as they are in the transform map. Some useful columns: location, priority, assignment_group, assigned_to, affected_user, attack_vector, and watch_list. Splunk event actions When reviewing Splunk logs, you can rapidly create security events and security incidents from any item in the log using the Event Actions. Clicking either of these actions creates a manual search command populated with the data in the log entry, and run it to generate the new record. These actions are easily configured to add fields in your normalized data. Within Splunk, using Settings > Fields > Workflow Actions, you can select and edit either of these actions using the manual search fields. You can choose where the action is shown, for what fields, and modify the search string that contains a search command to create your record. 376

377 Single-record Splunk alerts Within any alert, you can specify security events or security incidents to be created when the alert is fired. Open or create your alert, and when editing actions, select the type of record you want, and fill in the alert dialog box. Multiple-record, custom field Splunk alerts Multi-record alerts (defined using the Create Multiple Security Incidents and Create Multiple Security Events trigger actions) can automatically create records with any set of fields supported. These act differently from the other alert actions in that default values are provided. However, most of the data comes from the search result for that alert. Note: In previous versions of the add-on and this documentation, scripted alerts were supported. That feature has been deprecated and replaced by these instructions. Create a multi-record, custom field Splunk alert To create a multiple record Splunk alert with custom fields, you must build a search that is designed to match the columns you want to populate Navigate to Search. In the Search box, create a search that generates your record data. See the examples for recommended search criteria. Click Save As and select Alert. Set the name, permissions, and schedule, as needed. Click Add Actions. Make one of the following selections. 7. To create one event per result from your search, select Create Multiple Security Events. To create one incident per result from your search, select Create Multiple Security Incidents. Set any defaults, as needed. If the field in the search result is blank or not present, the defaults are used. If there is a value in the result, the defaults are overwritten. Multi-record, custom field Splunk alert examples When you are creating multiple record Splunk alerts with custom fields, you need to define search criteria for generating alert data. Examples of search criteria for security incidents and security events are shown. Security incident search For a security incident, this criteria builds a search to fill in columns in the security incident table. host=development source="/codearchive/password/ password_decrypt.cpp" eval contact_type="monitoring" eval cmdb_ci=host eval subcategory="sensitive Data Monitoring" eval description=_raw 377

378 eval source_ip=found_ip Security event search For a security event, this is the same search, but it populates Event fields instead. If this event is turned into a security incident, and any fields that do not exist in the event are populated, they are transferred to the security incident. Otherwise, they remain in the additional information field of the event and alert. host=development source="/codearchive/password/ password_decrypt.cpp" eval type="monitoring" eval node=host eval source=source eval subcategory="sensitive Data Monitoring" eval description=_raw eval source_ip=found_ip Note: The search criteria you use will add as many records as are found in the search. It may add 5 or 10,000,000,000 records. So this is NOT a recommended method for the bulk tranfer of data. The intent of this method is to add one record per REST call into the instance. End User Licence Agreement BY DOWNLOADING, INSTALLING, OR USING THE SERVICENOW SECURITY OPERATIONS FOR SPLUNK ( SOFTWARE ), YOU (THE INDIVIDUAL OR LEGAL ENTITY, HEREIN REFERED TO AS YOU OR YOUR OR USER ) AGREE TO BE BOUND BY THE TERMS OF THIS END USER LICENSE AGREEMENT ( EULA ). IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA, YOU MUST NOT DOWNLOAD, INSTALL OR USE THE SOFTWARE AND YOU MUST DELETE OR RETURN THE UNUSED SOFTWARE TO THE VENDOR FROM WHICH YOU ACQUIRED IT WITHIN THIRTY (30) DAYS AND REQUEST A REFUND OF THE LICENSE FEE, IF ANY, THAT YOU PAID FOR THE SOFTWARE. ACKNOWLEDGEMENT. provides the Software to you as is and as available and as an accommodation to you to integrate your Splunk deployment with the subscription service, to which you must have purchased the necessary use rights pursuant to a separate purchase agreement ( Agreement ). The Software will collect and transmit user data to the subscription service. may at any time remove your access to this Software or terminate the availability of this Software without any liability to you or any third party. In the event of termination, you must remove and destroy all copies of the Software, including all backup copies from all devices you own, possess or control and on which the Software is installed. SCOPE OF LICENSE. Subject to your compliance with this EULA, hereby grants to you a royalty-free, sub-licensable, transferable, non-exclusive, worldwide right and license to use, reproduce, display, perform, import and export the Software. The Software is licensed, not sold. RESTRICTIONS. You shall not (i) license, sub-license, sell, re-sell, rent, lease, transfer, distribute or time share or otherwise make the Application available for access by third parties in whole or in part; (ii) modify the Application or otherwise create derivative works thereof; (iii) use the Software to access the subscription service in a manner not authorized by the Agreement or this EULA; (ii) remove or obscure any copyright, trademark, patent, or other proprietary notices, legends or symbols from the Software; (iii) otherwise access or use the Software except as expressly authorized in this EULA; (iv) use the Software in any manner which violates any applicable law or regulation; (v) modify or distribute the 378

379 Software for use with anything other than the designated Splunk software; or (vi) encourage or assist any third party to do any of the foregoing. OPEN SOURCE SOFTWARE. Open Source Software or OSS means software components embedded in the Software and provided under separate license terms, which can be found in the Open Source Disclosure File (or similar file) provided within the Software. Notwithstanding anything herein to the contrary, Open Source Software is licensed to you under such OSS s own applicable license terms, which can be found in the Open Source Disclosure File. These OSS license terms are consistent with the license granted in this EULA, and may contain additional rights benefiting you. The OSS license terms shall take precedence over this EULA to the extent that this EULA imposes greater restrictions on you than the applicable OSS license terms. To the extent the license for any Open Source Software requires to make available to you the corresponding source code and/or modifications (the "Source Files"), you may obtain a copy of the applicable Source Files by sending a written request, with your name and address to:, Inc., 2225 Lawson Lane, Santa Clara, CA 95054, United States of America. All requests should clearly specify: Open Source Files Request, Attention: General Counsel. This offer to obtain a copy of the Source Files is valid for three years from the date you acquired this Software. DISCLAIMER OF WARRANTIES. SERVICENOW DISCLAIMS RESPONSIBILITY FOR ANY HARM RESULTING FROM YOUR USE OF THIS SOFTWARE. SERVICENOW DISCLAIMS TO THE FULLEST EXTENT PERMITTED, ALL GUARANTEES AND EXPRESS, IMPLIED AND STATUTORY WARRANTIES, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT OF PROPRIETARY RIGHTS, AND ANY WARRANTIES REGARDING THE AVAILABILITY, SECURITY, RELIABILITY, TIMELINESS AND PERFORMANCE OF THIS SOFTWARE. YOU DOWNLOAD AND USE THIS SOFTWARE AT YOUR OWN DISCRETION AND RISK, AND YOU ARE SOLELY RESPONSIBLE FOR ANY DAMAGES TO YOUR HARDWARE DEVICES OR LOSS OF DATA THAT RESULT FROM THE DOWNLOAD OR USE OF THIS SOFTWARE. LEGAL COMPLIANCE. The Software may be subject to United States export control regulations. Without prior authorization from the United States government, you shall not use the Software for, and shall not permit the Software to be used for, any purposes prohibited by United States law, including, without limitation, for any prohibited development, design, manufacture or production of missiles or nuclear, chemical or biological weapons. Without limiting the foregoing, You represent and warrant that: (1) You are not, and are not acting on behalf of, any person who is a citizen, national, or resident of, or who is controlled by the government of, Cuba, Iran, North Korea, Sudan, or Syria, or any other country to which the United States has prohibited export transactions; (2) You are not located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a terrorist supporting country; and (3) You are not, and are not acting on behalf of, any person or entity listed on the U.S. Treasury Department list of Specially Designated Nationals and Blocked Persons, or the U.S. Commerce Department Denied Persons List, Unverified List, or Entity List or any other U.S. Government list of prohibited or restricted parties unless authorized by license or regulation. INTELLECTUAL PROPERTY. and its licensors own all right, title, and interest in and to this Software, including intellectual property rights therein. All rights not expressly granted herein are reserved. LIMITATION OF LIABILITY. TO THE MAXIMUM EXTENT MANDATED BY LAW, IN NO EVENT WILL SERVICENOW AND ITS LICENSORS BE LIABLE FOR ANY LOST PROFITS OR BUSINESS OPPORTUNITIES, LOSS OF USE, BUSINESS INTERRUPTION, LOSS OF DATA, OR ANY OTHER INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES UNDER ANY THEORY OF LIABILITY, WHETHER BASED IN CONTRACT, TORT, NEGLIGENCE, PRODUCT LIABILITY, OR OTHERWISE. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE PRECEDING LIMITATION MAY NOT APPLY TO YOU. SERVICENOW S AND ITS LICENSORS LIABILITY UNDER THIS EULA WILL NOT, IN ANY EVENT, EXCEED $10 USD. THE FOREGOING LIMITATIONS SHALL APPLY REGARDLESS OF WHETHER SERVICENOW OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF WHETHER ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE. 379

380 INDEMNIFICATION. You will indemnify and hold harmless from any claim made by any third party due to or arising directly or indirectly out of your conduct or its connection with your use of this Software, violation of the terms herein, and any violation of any applicable law or regulation. reserves the right, at its own expense, to assume the exclusive defense and control of any manner subject to indemnification by you, but doing so will not excuse your indemnity obligations. SUPPORT. If you have a support question regarding the Software, use s standard support process to receive assistance. More information is available on support.do. CONTRACTING PARTIES. If you reside in North America, the contracting party is, Inc., 2225 Lawson Lane, Santa Clara, CA If you reside outside of North America, the contracting party is Nederland B.V., Hoekenrode 3, 1102 BR Amsterdam, The Netherlands. This EULA is governed by the laws of the State of California, United States of America, unless mandated by other law. The United Nations Convention for the International Sale of Goods shall not apply. COMPLAINTS. If you have questions, complaints or claims with respect to the Software, please direct to legalnotices@servicenow.com. ENTIRE AGREEMENT. This EULA represents the entire agreement between the parties with respect to the Software, and supersedes any prior or contemporaneous oral or written agreements concerning the subject matter contained herein. HEADINGS. Headings under this EULA are intended only for convenience and shall not affect the interpretation of this EULA. WAIVER AND MODIFICATION. No failure of either party to exercise or enforce any of its rights under this EULA will act as a waiver of those rights. This EULA may only be modified, or any rights under it waived, by a written agreement executed by the party against which it is asserted. SEVERABILITY. If any provision of this EULA is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the other provisions of this EULA will not be affected. US GOVERNMENT RESTRICTED RIGHTS. The Software and Documentation are deemed to be commercial computer SOFTWARE and commercial computer Software documentation, respectively, pursuant to DFAR Section and FAR Section (b), as applicable. Any use, modification, reproduction, release, performance, display, or disclosure of the Software by the U.S. Government shall be governed solely by the terms of this EULA. ADDITIONAL TERMS. The following additional terms and conditions apply to you on your use of the Software. In the event of any conflict between these additional terms and the rest of the EULA, these additional terms shall control. For the purposes of this EULA, Splunk, refers to Splunk Inc., a Delaware corporation, with its principal place of business at 250 Brannan Street, San Francisco, California 94107, U.S.A. To the extent that the usage rules for the Software set forth in the Splunk Websites Terms and Conditions of Use are more restrictive, such usage rules shall apply. 1. is solely responsible for the Software, including, without limitation, for any warranties, maintenance and support, notices and consents to be given to Users. You agree that Splunk does not in any way warrant the accuracy, reliability, completeness, usefulness, non-infringement, or quality of this Software and that Splunk shall not be liable or responsible in any way for any losses or damage of any kind, including lost profits or other indirect or consequential damages, relating to your use of or reliance upon this Software. 2. Splunk is not responsible for the privacy, security or integrity of any data collected or transmitted by the Software. 3. You must comply with any applicable third party terms of agreement when using this Software, if any. 4. Any translation of this EULA is done for local requirements and in the event of a dispute between the English and any non-english version, the English version of this EULA shall govern. If you are located in the province of Quebec, Canada, the following clause applies: The parties hereby confirm that you 380

381 have requested this EULA and all related documents be drafted in English. Les parties ont exige que le present contrat et tous les documents connexes soient rediges en anglais. 5. This Software was created using Splunk s standard application programming interface specification. Splunk and its licensors own all right, title, and interest in and to this Software, including intellectual property rights therein KD Tanium integration Tanium Integration uses a workflow and workflow activities to return running processes for affected CIs. Explore Set up Tanium Integration integration overview on page 381 integrations on page 256 Tanium Endpoint Platform Integration setup on page 381 Activate and configure the Tanium integration on page 382 Use Develop Tanium integration orchestration workflow and activities on page 383 Tanium - Get Running Processes workflow on page 383 Tanium - Get File Details workflow on page 392 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation Troubleshoot and get help Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support Tanium Integration integration overview Tanium Integration is an endpoint security and systems management company that integrates easily with Whenever a CI is added to an open security incident in Security Incident Response, the Tanium - Get running processes workflow is triggered when the record is saved. Tanium is asked a Get Processes question, and Tanium returns the running processes for the affected CI in a table. For more information on the workflow and associated workflow activities, see Tanium - Get Running Processes workflow on page 383. Tanium Endpoint Platform Integration setup Before you can use the Tanium integration, activate the plugin and configure the integration. If necessary, you must also update your X509 SSL certification. 381

382 Activate and configure the Tanium integration The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including Tanium Integration. Role required: admin Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method. 1. Navigate to > Integration Configuration. The available security integrations appear as a series of cards In the Tanium card, click Install Plugin. In the Install Tanium integration dialog box, review the plugin details and click Activate. When the activation is complete, click Close & Reload Form. The Security Integration screen reloads and the Configure button for the integration is available. Click Configure. Fill in the fields on the Tanium Configuration form, as appropriate Field Tanium Server URL The URL for accessing the Tanium server SOAP endpoint. Typically, the URL takes a format similar to tanium.server.local/soap. An IP address can also be used. For example, https// /soap. Tanium Username and Password The username and password for the Tanium integration administrator (for Tanium version 6.1 and above). Tanium Session (pre 6.1) The Tanium Session SOAP key (for Tanium versions prior to 6.1). For Tanium 6.1 and later installations, this field is typically left empty. Running Processes Sensor The name of the Running Processes sensor to use. For example, Running Processes. IP Address Sensor The name of the IP address sensor to use for limiting a query to a set of specific client machines. For example, IP Address. 382

383 7. Field Index File Sensor The name of the sensor used to get file details. This field defaults to Index Query File Details. Max Index File Entries per IP The limit on the number of files returned per machine in a Get File Details query. This field defaults to 10. Use MID Server If the Tanium server is behind a MID Server, authentication credentials must be included in the body of SOAP messages. The credentials, along with the rest of the SOAP message body, are stored as plain text in the External Communication Channel (ECC) queue. Click Submit to store the integration configuration. Update your X.509 certificate If you require an SSL connection for the integration, there are circumstances when the certificate provided by the third-party vendor is either not yet trusted in or has expired. This task is optional. Role required: admin Acquire the SSL certificate from the third-party vendor. For example, you can import an X.509 Certificate (PEM) from an SSL endpoint in the Firefox browser, as follows. a) Enter the endpoint URL into the browser address bar. For example: b) Click the lock icon in the address line. c) Click More Information and click the Security tab. d) Click View Certificate and click the Detail tab. e) Click Export to save the PEM into your local file system. f) Open the saved file in any text editor tool and copy the content to the clipboard. It must begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE Navigate to System Definition > Certificates. Click New and create a new record for the integration. In PEM Certificate, paste in the certificate you downloaded and copied into the clipboard earlier. Click Save. The other fields in the record are generated automatically. Tanium integration orchestration workflow and activities The base system includes workflow activities you can use to integrate Tanium with your instance. Tanium - Get Running Processes workflow This workflow creates an audit trail, and the Tanium: Get-Processes Question activity takes the IPV4 address of the CI as input and runs a query on the Tanium server. The output is a list of all the running processes on the affected CI. When the Configuration item field in a security incident is modified, this workflow is launched. 383

384 Figure 21: Tanium Integration - Get Running Processes workflow How the workflow works Given a string question ID (normally the result of an AddObject command), the Tanium: Check if Done activity queries the Tanium server to check if data collection is complete. This activity uses the sn_sec_tanium.taniumendpointutil script include and relies on the GetResultInfo Tanium server SOAP message. 384

385 When the Tanium: Check if Done activity returns true, the Tanium: Get Result Data from Response activity collects all the data returned from the Tanium server in answer to the Get-Processes question. The output consists of an array of objects, each containing key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array. Create Enrichment Data records activity This workflow activity stores workflow output data in a table. The Create Enrichment Data records workflow activity can be used with any workflow to store workflow output data. It creates records on the sn_si_enrichment table. Input variables Input variables determine the initial behavior of the activity. Table 174: Input variables Variable task_id [string] The task identifier (task_id) of a configuration item record. content [string] The raw data coming back from running workflows in a JSON-formatted string. This JSON string is used to populate this record and the related table (sn_si_enrichment_data) records. type [string] Values can either be process or netstat. ci [string] Configuration item. Output variables The output variables contain data that can be used in subsequent activities. Table 175: Output variables Variable result [string] JSON-formatted data that is parsed and stored in name/value pairs. 385

386 386

387 Get IP from CI activity This workflow activity determines the IPV4 address associated with a configuration item (CI). The Get IP from CI activity can be used with any workflow to retrieve the IPv4 address of a CI. Input variables Input variables determine the initial behavior of the activity. Table 176: Input variables Variable ci_sys_id [string] Configuration item system identifier Output variables The output variables contain data that can be used in subsequent activities. Table 177: Output variables Variable ip_addr [string] IPv4 address. If the IP address cannot be determined, this value is empty. Exit Conditions Possible results for this activity are: Table 178: Conditions Condition Success An IPv4 address was returned. Failure An IPv4 address could not be determined. Tanium: Build Get-Processes Request activity This workflow activity takes the IPV4 address of a CI added to a security incident and builds a request to the Tanium server for all the running processes for that CI. The output is the details necessary for executing the request, with the payload encrypted. Input variables Input variables determine the initial behavior of the activity. 387

388 Table 179: Input variables Variable ci_ip_address [string] The IPV4 address of the CI that was added to a security incident. This input field is mandatory. Output variables The output variables contain data that can be used in subsequent activities. Table 180: Output variables Variable endpoint [string] The encrypted endpoint from the database. request_body [Encrypted] The SOAP request body. http_timeout [Integer] The HTTP timeout value, in seconds. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. Tanium: Build Check if Done Request activity This workflow activity builds a request of the Tanium server to check if data collection for the question is complete. It returns the encrypted request and other components necessary to execute the request. Input variables Input variables determine the initial behavior of the activity. Table 181: Input variables Variable question_id [integer] The Question ID returned from the Tanium server. Output variables The output variables contain data that can be used in subsequent activities. Table 182: Output variables Variable endpoint [string] The encrypted endpoint from the database. request_body [Encrypted] The SOAP request body. http_timeout [Integer] The HTTP timeout value, in seconds. 388

389 Variable use_mid [Boolean] A boolean flag indicating whether to use the MID Server. Tanium: Build Get Result Data Request activity This workflow builds a request to collect all the data returned from Tanium in answer to a question. It takes a Question ID as input and provides the output to execute the request, including an encrypted SOAP envelope payload. Input variables Input variables determine the initial behavior of the activity. Table 183: Input variables Variable question_id [string] The question ID of the question posed to Tanium. Output variables The output variables contain data that can be used in subsequent activities. Table 184: Output variables Variable endpoint [string] The encrypted endpoint from the database. request_body [Encrypted] The SOAP request body. http_timeout [Integer] The HTTP timeout value, in seconds. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. Tanium: Determine if done from Response activity This workflow activity determines if a request has completed based on the response body. Input variables Input variables determine the initial behavior of the activity. Table 185: Input variables Variable response_body [string] The SOAP request body returned from Tanium. 389

390 Output variables The output variables contain data that can be used in subsequent activities. Table 186: Output variables Variable done [Boolean] Returns true if the request processing is done. Tanium: Execute Request activity This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope. Input variables Input variables determine the initial behavior of the activity. Table 187: Input variables Variable request_body [Encrypted] The SOAP request body. This input field is mandatory. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. endpoint [string] The encrypted endpoint from the database. This input field is mandatory. http_timeout [integer] The HTTP timeout value, in seconds. Output variables The output variables contain data that can be used in subsequent activities. Table 188: Output variables Variable status_code [integer] Standard HTTP status codes. header [string] The SOAP header. body [string] The SOAP body. error [string] Any errors provided by the server. Tanium: Get Question ID from Response activity This workflow activity processes the response body to obtain the Question ID. 390

391 Input variables Input variables determine the initial behavior of the activity. Table 189: Input variables Variable response_body [string] The SOAP response body. Output variables The output variables contain data that can be used in subsequent activities. Table 190: Output variables Variable question_id [integer] The Question ID returned from the Tanium server. Tanium: Get Result Data from Response activity This workflow activity processes the response body from the result data and outputs an array of JSON objects representing the results from Tanium. Input variables Input variables determine the initial behavior of the activity. Table 191: Input variables Variable response_body [string] The SOAP response body. Output variables The output variables contain data that can be used in subsequent activities. Table 192: Output variables Variable ResultData [Array] An array of objects, each containing key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array. 391

392 Tanium - Get File Details workflow This workflow queries the Tanium server for the existence of files with a specific hash value or file name. The activities collect the results and store them as enrichment data on a security incident. 392

393 393

394 Note: This workflow illustrates how you can query the Tanium server for the existence of files with a specific hash value or file name, collect the data, and store it as enrichment data on a security incident. In its current implementation, the workflow does not return the enriched data for use by the system. It is provided to exemplify the process you can use to increase the effectiveness of your security incident investigation. Create Enrichment Data records activity This workflow activity stores workflow output data in a table. The Create Enrichment Data records workflow activity can be used with any workflow to store workflow output data. It creates records on the sn_si_enrichment table. Input variables Input variables determine the initial behavior of the activity. Table 193: Input variables Variable task_id [string] The task identifier (task_id) of a configuration item record. content [string] The raw data coming back from running workflows in a JSON-formatted string. This JSON string is used to populate this record and the related table (sn_si_enrichment_data) records. type [string] Values can either be process or netstat. ci [string] Configuration item. Output variables The output variables contain data that can be used in subsequent activities. Table 194: Output variables Variable result [string] JSON-formatted data that is parsed and stored in name/value pairs. 394

395 395

396 Tanium: Build Check if Done Request activity This workflow activity builds a request of the Tanium server to check if data collection for the question is complete. It returns the encrypted request and other components necessary to execute the request. Input variables Input variables determine the initial behavior of the activity. Table 195: Input variables Variable question_id [integer] The Question ID returned from the Tanium server. Output variables The output variables contain data that can be used in subsequent activities. Table 196: Output variables Variable endpoint [string] The encrypted endpoint from the database. request_body [Encrypted] The SOAP request body. http_timeout [Integer] The HTTP timeout value, in seconds. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. Tanium: Build Get File Details Request activity To aid in an investigation, this activity can be used to build a request to query Tanium for files that satisfy defined input criteria. The criteria are all evaluated together, so only files satisfying all the criteria are returned. This activity relies on information in the Tanium integration configuration to determine the maximum number of files returned per machine. Input variables Input variables determine the initial behavior of the activity. Table 197: Input variables Variable md5hash [string] A string containing the (possibly partial) md5 hash of files to be located. The (*) glob wildcard character is allowed. For example, an input of 4dc0* locates all files with a hash starting with 4cd0. 396

397 Variable filename [string] A string containing the name (possibly including a wildcard) of files to be located. For example, a filename entry of *tanium* returns all files containing the word tanium anywhere in the file name. sensor_source_id [string] The sensor source ID associated with the index file detail sensor. It is used to perform a parametrized query. This input field is mandatory. Note: If an input variable is not specified, that criteria is not used. Output variables The output variables contain data that can be used in subsequent activities. Table 198: Output variables Variable endpoint [string] The encrypted endpoint from the database. request_body [Encrypted] The SOAP request body. http_timeout [Integer] The HTTP timeout value, in seconds. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. Tanium: Build Get Result Data Request activity This workflow builds a request to collect all the data returned from Tanium in answer to a question. It takes a Question ID as input and provides the output to execute the request, including an encrypted SOAP envelope payload. Input variables Input variables determine the initial behavior of the activity. Table 199: Input variables Variable question_id [string] The question ID of the question posed to Tanium. Output variables The output variables contain data that can be used in subsequent activities. 397

398 Table 200: Output variables Variable endpoint [string] The encrypted endpoint from the database. request_body [Encrypted] The SOAP request body. http_timeout [Integer] The HTTP timeout value, in seconds. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. Tanium: Build Get Sensor ID Request activity This activity takes a sensor name, and builds a request to perform a lookup on the Tanium server. It returns a sensor ID used by subsequent activities. Input variables Input variables determine the initial behavior of the activity. Table 201: Input variables Variable sensor_name [string] A string that identifies the sensor name. Output variables The output variables contain data that can be used in subsequent activities. Table 202: Output variables Variable endpoint [string] The encrypted endpoint from the database. request_body [Encrypted] The SOAP request body. http_timeout [Integer] The HTTP timeout value, in seconds. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. Tanium: Determine if done from Response activity This workflow activity determines if a request has completed based on the response body. Input variables Input variables determine the initial behavior of the activity. 398

399 Table 203: Input variables Variable response_body [string] The SOAP request body returned from Tanium. Output variables The output variables contain data that can be used in subsequent activities. Table 204: Output variables Variable done [Boolean] Returns true if the request processing is done. Tanium: Execute Request activity This workflow activity executes an HTTP request. The inputs define the endpoint and the expected request body. The request body itself is the encrypted SOAP envelope. Input variables Input variables determine the initial behavior of the activity. Table 205: Input variables Variable request_body [Encrypted] The SOAP request body. This input field is mandatory. use_mid [Boolean] A boolean flag indicating whether to use the MID Server. endpoint [string] The encrypted endpoint from the database. This input field is mandatory. http_timeout [integer] The HTTP timeout value, in seconds. Output variables The output variables contain data that can be used in subsequent activities. Table 206: Output variables Variable status_code [integer] Standard HTTP status codes. header [string] The SOAP header. body [string] The SOAP body. 399

400 Variable error [string] Any errors provided by the server. Tanium: Get Question ID from Response activity This workflow activity processes the response body to obtain the Question ID. Input variables Input variables determine the initial behavior of the activity. Table 207: Input variables Variable response_body [string] The SOAP response body. Output variables The output variables contain data that can be used in subsequent activities. Table 208: Output variables Variable question_id [integer] The Question ID returned from the Tanium server. Tanium: Get Result Data from Response activity This workflow activity processes the response body from the result data and outputs an array of JSON objects representing the results from Tanium. Input variables Input variables determine the initial behavior of the activity. Table 209: Input variables Variable response_body [string] The SOAP response body. Output variables The output variables contain data that can be used in subsequent activities. 400

401 Table 210: Output variables Variable ResultData [Array] An array of objects, each containing key-value pairs composed of the column and values returned from the server. If no data is received from the server, the output is an empty array. Tanium: Get Sensor ID From Response activity This activity processes the SOAP response body provided as input, and outputs the corresponding sensor ID. Input variables Input variables determine the initial behavior of the activity. Table 211: Input variables Variable response_body [string] the SOAP response body coming back from Tanium. Output variables The output variables contain data that can be used in subsequent activities. Table 212: Output variables Variable sensor_id [string] The string sensor ID associated with the requested sensor. Components installed with the Tanium integration Several types of components are installed with the Tanium integration. Activating the Tanium Integration plugin adds or modifies several tables, user roles, and other components. Script includes installed with Tanium Integration Tanium Integration adds the following business rule. 401

402 Table 213: Script includes for Tanium Integration Script include TaniumEndpointUtil A utility method for sending questions to and receiving answers from the Tanium Endpoint Server. VirusTotal integration The VirusTotal integration enables you to request the analysis of suspicious IP addresses, hashes, and URL addresses to aid in your investigation to determine if they are malicious. Explore Set up VirusTotal integration overview on page 402 integrations on page 256 VirusTotal integration setup on page 403 Activate and configure the VirusTotal integration on page 403 Use Develop Define rate limits on page 229 Apply lookup rate limits to lookup sources on page 232 Update security incident with lookup results workflow on page 434 Threat Intelligence - Run IoC Lookup workflow on page 242 View the lookup queue on page 237 View lookup results on page 237 integration development guidelines on page 256 Tips for writing integrations on page 263 Developer training Developer documentation Components installed with VirusTotal Integration on page 403 Troubleshoot and get help Integration troubleshooting on page 264 Ask or answer questions in the Security Operations community Search the HI Knowledge Base for known error articles Contact Support VirusTotal integration overview VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware. It integrates easily with. If the VirusTotal lookup source is used and malware is encountered, an observable is created. For IP lookups, an additional list of URLs that share the IP address is created, and observables are created for each of the URLs. Note: The Threat Intelligence plugin is required in order to implement VirusTotal integration. 402

403 VirusTotal integration setup Before you can use the VirusTotal integration, you must activate the plugin and add the appropriate API key. If necessary, you can also update your X509 SSL certification. Activate and configure the VirusTotal integration The Integration Configuration feature allows you to quickly activate and set up third-party security integrations, including VirusTotal Integration. Role required: admin Note: This procedure can be used to activate the plugin and configure the integration. You can also activate the plugin using the traditional method Access VirusTotal and obtain the API Key under your VirusTotal profile. Navigate to > Integration Configuration. The available security integrations appear as a series of cards In the VirusTotal card, click Install Plugin. In the Install VirusTotal integration dialog box, review the plugin details and click Activate. When the activation is complete, click Close & Reload Form. The Security Integration screen reloads and the Configure button for the integration is available. Click Configure. Enter (or paste) the API Key you acquired from the VirusTotal site. Click Submit Components installed with VirusTotal Integration Several components are installed with the VirusTotal Integration. Activating the VirusTotal Integration plugin adds the following script includes. Script includes installed with VirusTotal Integration VirusTotal Integration adds the following script includes. 403

404 Table 214: Script includes for VirusTotal Integration Script include VirusTotalBaseIntegration A base class for VirusTotal integrations. VirusTotalFileIntegration Contains logic for sending a file to VirusTotal to scan. VirusTotalHashIntegration Contains logic for sending a hash to VirusTotal to scan. VirusTotalIPIntegration Contains logic for sending an IP address to VirusTotal to scan. VirusTotalIPProcessor Contains logic to process an IP scan response from VirusTotal. VirusTotalScanReportProcessor Contains logic for processing file, URL, and hash scan responses from VirusTotal. VirusTotalURLIntegration Contains logic for sending a hash to VirusTotal to scan. common functionality Whenever any of the plugins for the main applications (Security Incident Response, Vulnerability Response, or Threat Intelligence) are activated, the Security Support Common plugin is activated. This plugin loads various modules that provide functionality that is common across all Security Operations applications. Note: Only users with the Security Support Common Admin role [sn_sec_cmn.admin] can view and use the module. This role is inherited when you are assigned an administrative role in any of the applications. Create and define filter groups in Create and use filter groups to locate records from any table on your instance. For example, you can create a group of all computers by the same manufacturer. You can also filter configuration items (CIs) that have similar vulnerabilities or that fall within a particular subnet IP address range. Role required: sn_sec_cmn.write Filter groups can contain dynamically updated records, a series of static records that are not filtered using conditions, or a combination of dynamically updated and static records Navigate to > Groups > Filter Groups. Click New. Fill in the fields on the form, as appropriate. Field Name The name of the filter group. Active Select this check box to activate the group. Enter a description for the filter group. 404

405 Field Network IP Address The network IP address that contains the IP addresses of the CIs you want to add to the group. This field appears only if you selected Configuration Item [cmdb_ci] or a table that extends configuration item in the Table field. Subnet Mask The subnet that contains the IP addresses of the CIs you want to add to the group, for example, This field appears only if you selected Configuration Item [cmdb_ci] or a table that extends configuration item in the Table field. 4. Table The table to be filtered on. Condition Use the condition builder to define the criteria to be filtered. Right-click in the form header and select Save. An Advanced Conditions tab appears. More tabs appear depending on the type of table you specified in the Table field, as follows: Table Tabs Displayed Configuration Item Manually Added CIs and Matching CIs [cmdb_ci] or a table that extends the configuration item table 5. Task [task] or a table that extends the task table Manually Added Tasks and Matching Tasks A table not related to a configuration item or task Manually Added Record To define more conditions for your filter group: a) Click Advanced Conditions. b) Insert a new row into the Additional Filter Group Conditions embedded list to select other prebuilt filter groups that you want to combine with the filter group being updated. If you want the selected filter group to filter records based on a reference field, a mapped field is automatically selected when the current record is saved. Note: The Mapped Field value cannot be edited from the Additional Filter Group Conditions embedded list. To change the field, click the information icon record. c) 6. to open the Click Update. To manually add more CIs or tasks to the filter group: a) Click the Manually Added CIs or Manually Added Tasks tab. b) Click Edit. c) Select the CIs or tasks you want to add. 405

406 d) 7. Click Save. To view the CIs or tasks that match your selection criteria: a) Click the Matching CIs or Matching Tasks tab. b) If you changed the criteria, refresh the list by right-clicking in the header and selecting Refresh List. processing You can set up the integration of information from external detection systems, provide granularity in processing security operations records, handle unmatched s, and prevent duplication of records using Processing. Processing consists of these features: Feature Parsing Generate new records from external system s. Duplication Rules Identifies new with known incidents and processes them appropriately. Properties Specifies accounts used as input in Parsing for security, vulnerability, and IoCs. Provides for granularity in processing Security Operations records. Unmatched s Lists s that do not match any Security Operations record. properties Properties specify which inboxes are used as input in Parsing to import information from external detection systems to create records for security, vulnerability, and IoCs. You can set up a general account for all external detection systems to use, or individual accounts for Security Incident Response, Threat Intelligence, or Vulnerability Response. Create properties You can specify addresses for reports and control automatic behaviors using Properties. Role required: sn_sec_cmn.admin Set up external detection tools to send s to your parsing inbox Navigate to > Processing > Properties. Enter your recipient mailboxes as appropriate: Table 215: parsing properties Field Inbox for Security Operations tools Full address for. For example, secops_support@yourcompany.com. 406

407 3. Field Inbox for Security Incident tools Full address for Security Incident Response. For example, Inbox for Vulnerability Response tools Full address for Vulnerability Response. For example, Inbox for Threat Intelligence tools Full address for Threat Intelligence. For example, Click Save. parsing Generate new records from external detection systems by using Parsing. This feature provides a method of integrating information from external tools, such as malware detection, vulnerability detection, firewalls, threat intelligence, and more. How s are parsed Any system that can send an , can create records, for example, security incidents, requests, vulnerable items, vulnerabilities, security incident observables, attack methods, and more. All plugins (Security Incident Response, Threat Intelligence, and Vulnerability Response) have a property ( _to ) that defines the address where external integrations should send s to, to be parsed by the parsers. See Processing > Properties for more information. sent to any of the addresses is stored in an events table. These s are processed to determine whether they match any existing parser. s that have a match are flagged and the transform and duplication rules create or update a Security Operations record. The is linked to that record and flagged as matched. s that do not match are removed from the table and listed in Unmatched s. These s can be reviewed to help build parsers to handle these s. A reprocess action allows you to run the unmatched through the parsers again. The original log is linked to that record. The duplication rules for the transform manage multiple s relating to the same issue. These rules define what makes a duplicate record and can prevent duplicate records from being created. When a duplicate is detected, the rule specifies what action to take; no action (does not create a new record), create the new record as a child of the existing record, or update the existing record. The duplicate rule specifies which fields in the existing record are updated. By default, events are deleted after 30 days. Multiple records External detection systems (malware detectors, vulnerability, and so on) can send s that report on multiple items at one time. The parser supports separators within the . For example, a malware detector could send you an report about about all systems within your network infected by one particular malware, with information about the malware first, followed by a list of the systems affected. 407

408 In this example, when the Record Separator is set within your Transform as =================, it splits the into four sections that are evaluated separately. This creates a Security Incident for three affected systems. The header section is detected as not having any affected systems, so it is used in all three records, and does not create a 4th record. Field Transforms pull in data from each section. If something is in a header or footer of the , applies to all records, such as Malware Hash, Malware Name, and Type in this example, the field transform for them should set Search for value to a value that searches within the body, either at At the start of a line in the body or Anywhere in the body. Field transforms must be set to search At the start of a line within the record section or Anywhere in the record section for data that is defined within each section, such as System, IP address, or Status.. The record section options are only available when there is a record separator defined within the transform. When parsing an with a separator defined, records are only created for sections with at least one piece of section-specific data. In this example, three records are created, even though there are four sections defined. The first section is a header, and it lacks anything specific to only one system. If any of the fields within the first section were filled in (System, IP, or Status), then a record would be created for that section, as well. Create parsers in Parsing creates records from your for security, vulnerability, and observables, improving detection time to expedite threat response and remidiation Role required: sn_sec_cmn.admin Set up external detection tools to send s to a central emai address. Set the address in Properties. For more information, see Create Security Operations properties on page 406. Assign a user account to this address and give that user security access controls to create and update the event records. Have a copy of the relevant from your external detection tool in front of you. 408

409 Decide what type of record you want to create, a security incident, vulnerability record, task and so on. This is determines the table you select. Navigate to > Parsing. Click New. Fill in the fields on the form, as appropriate. Note: If more than one field is specified, all fields must match the to create a record. Table 216: parser 4. Field Name The name of the parser. is from If filled in, only s from this address are transformed by this parser. is to If filled in, only s from this address are transformed by this parser. subject contains If filled in, only s where the subject contains this phrase are transformed by this parser. Application Name of the application. Destination table The table where you want to create records. Duplication rule Governs how to handle duplicate s for any this transform handles. For more information, see duplication rules on page 414 Order In what order to consider the transforms. The first matching transform is used. Typically, you want to set up the most specific parsers in the lower numbers, with some fallback. Give catchall parsers higher Order numbers so they run if nothing else matches. Default is 100. When everything matches, the most specific parser (matches from, to, and subject) is used. Active Whether this transform is active, in use, or not active. If unchecked, no s are transformed with this code. Record Separator When s handled by this parser can create multiple records, this field contains the separator between the information for those records. See parsing on page 407 for more information. of this parser which tool it works with, the purpose, and so on. When you have completed your entries, right-click in the form header and select Save. A Field Transforms tab appears. This tab shows how individual fields within the destination table are set based on the contents. 409

410 410

411 5. To add Field Transforms, perform these steps. a) In the Field Transforms tab, click New. b) Fill in the fields on the form, as appropriate. Option Field Select the field to fill in with this value. Note: For choice fields, matches are made to existing choices using the underlying choice label or value. If no match is found, the field is set, but no new entry is added to the choice list. For more information, see Choice lists. For reference fields, an entry is set only when a value matching the display name of the record or valid sys_id is found. For more information, see Reference fields. transform The transform this field transform belongs to. Destination table Destination table of the transform. It contains informational data from the transform. Search for value Select the location in the to search. Choices include: At the start of a line in the body Anywhere in the body In the subject line Always the static value When you have defined a Record Separator, more options (Anywhere within the record section and At the start of a line within the record section) enable you to search only within the current section instead of in the entire body (See parsing on page 407 for more information. Information that is in a header or footer, applying to all records, is searched for in the entire body. The information that differs between records is searched for only within the section. Value prefix The text that always precedes the value to extract. Active The default is checked. When checked, the field transform is activated. Uncheck this box to deactivate the field transform. 411

412 Option Order The order in which the field transforms run, from lowest to highest. A field transform with an order entry of 100 is attempted first. Only if that field transform fails to find a value will a field transform with a higher order (200) on the same field run. End of value Select what indicates the end of the value. Choices include: End of line, End of (brings in all remaining text in the ), or Until (stops when it finds the specified text). Value suffix When the End of Value is set to Until, this field specifies what text always follows the value placed within this field. For example, looking for a value that comes after The affected computer is, and before. will parse out AB123 from The demented bunny virus has been found. The affected computer is AB123. Estimated time of infection was 3:45PM in an . a) Click Submit. The new record is used to parse the information in the into a new record. Edit records in Add or create transforms in your existing event records. Role required: sn_sec_cmn.admin Navigate to > Parsing. Click the parser to edit. The following message may appear above the read-only record: This record is in the Threat Intelligence application, but Security Incident is the current application. To edit this record, click here. Click here. You are taken to the editable form of the transform. 412

413 413

414 Edit fields as appropriate. To edit Field Transforms, click in the field and change as appropriate. Click Update. duplication rules You can use Duplication Rules to handle duplicate records for security, vulnerability, IoCs, and so on. Duplication rules have two purposes. First, to prevent too many duplicate records from being created. Second, when a duplicate is detected, to set what fields in the record are updated. Only active duplicates are looked for. If the record is not active, for instance, if the incident has been closed, then any new identical problem is a new incident. Create duplication rules in You can use Duplication Rules to identify new with active duplicate records and process them appropriately. Role required: sn_sec_cmn.write Navigate to > Duplication Rules. Click New. Fill in the fields on the form, as appropriate: Table 217: Duplication rule Field Name The name of the duplication rule. Table Table where records are created and used to determine duplication. Identifying fields Select a set of fields that indicate a duplicate security incident, observable, vulnerability, and so on, when the values in these fields are identical. Application Scope of the application. 414

415 Field Duplicate action Governs how to handle duplicate s. Choices are: Create as child Creates a record as a child of the original. The field linking the child to the parent is specified as Parent field. Do not create nor update records (default) Does nothing. Ignores duplicates. Update duplicate record Updates the existing record's fields specified in Duplication Actions. Note: If you choose Update duplicate record, the Duplication Actions related list appears Active Select this check box to activate the rule. Describes the purpose and application of this duplication rule, when it should be used such as a rule designed for an IP-based observable, or security incidents from the firewall. Right-click in the record header and select Save or click Update. To set duplication actions, if you have chosen to Update duplicate record, click New to create duplication actions for each field you want to update in the incident. Fill in or edit the fields on the form, to describe how to update the field: Table 218: Duplication actions Field Field The name of the field to use for the duplication action. 415

416 Field Action The supported actions vary by the field type. Choices are: Update this field with the new value Replaces the previous value in the existing record with this value. Append the new value to a comma separated list, if unique Treats the value as an entry in a comma-separated list and adds the new data (if any) as a new entry in that list. If the data is already in the list, it is not added twice. Append the new value to this field Appends the new value to the end of the existing text in the field. Add one to a counter field Adds one to the numeric field Set the field to today Sets the field to the current date and time. Append to related list Adds to the related record with this value to the related list of the current record. Appears when there is a many to many table, with a column of the same type, linked to the table being updated. For example, Affected CI or Affected User. Relationship [Optional] This field appears only when the Append to related list action is chosen. It is the name of the related list you want to associate with this rule. Duplication rule Rule that this action is part of. Table Table where records are created. Display as information only. Active Select this check box to activate the action. 416

417 7. Click Submit. 417

418 418

419 Unmatched events events that do not match any parser have their "matched" flag unset. You can view these event records from the Unmatched s list, to reveal external detection systems whose s are not yet parsed. As you create parsers, you can attempt to reprocess the event (from the form or the list) to validate a new parser. View and reprocess unmatched s You can review Unmatched s for discontinued filters or as candidates for a new filter to maintain or improve the rate at which you catch threats. Role required: sn_sec_cmn.read Navigate to > Unmatched s. If any unamatched s have been found, they are listed. The fields on the form are as follows: Table 219: Security events Field From address of the sender. To address of the recipients. Subject Subject line in the . Body Contents of the body of the . Matched Indicates if this event was matched. To reprocess an unmatched , create an record or edit an existing record to match the information in this . See Create parsers in on page 408. Navigate back to > Unmatched s. Click Reprocess Event to attempt to process this . It returns you to the Unmatched s main list. If the new record matches, the event is no longer in the list. A message indicates if it was matched or not. user-defined escalation You can create an escalation path for security incidents for issues requiring more attention or expertise. Once an escalation group exists, a button appears on any security incident in that group. Create a user-defined escalation group Escalate a security incident to any group associated with the incident using Escalations. Role required: sn_si.admin Navigate to > Groups > Escalations. Click New. Fill in the fields on the form, as appropriate. 419

420 Table 220: Security request 4. Field Number Escalation incident number (field is auto-generated). Initial Group Select group this security incident belongs to. Escalation Group Select group to escalate the security incident to. Click Submit. An escalation group is available for all security incidents in the initial group. You can create multiple groups. 420

421 Create workflow triggers Create a workflow trigger that contains a condition on a table. Roles required: To read: sn_sec_cmn.read To create or update: sn_sec_cmn.write To delete: sn_sec_cmn.admin contains several workflow triggers in the base system: Configuration item changes on an active Security Incident Uses integration to enrich CI-related data as configuration items change. Rescan vulnerable group Rescans a vulnerable group, using the Scan vulnerability workflow on page 430, when you Close/Ignore the group. Rescan vulnerable item Rescans a vulnerable item, using the Scan vulnerable item workflow on page 432 when you Close/Ignore the item Navigate to > Utilities > Workflow Triggers. Click New. 421

422 3. Fill in the fields on the form, as appropriate. Table 221: Workflow Triggers Field Name The name of the workflow trigger. Enter a description for the workflow trigger. Table The table containing the workflow trigger. If you selected the Use filter group check box and selected a filter group, this field defaults to the table associated with the selected filter group. Condition Use the condition builder to define the criteria for the workflow trigger. If you selected the Use filter group check box and selected a filter group, the Condtion fields are not displayed. Active Select this check box to activate the workflow trigger. Use filter group Select this check box to use a predefined filter group or create a new filter group to define the workflow trigger criteria. Filter group Select the filter group to use for defining workflow triggers. This field appears only if the Use filter groups check box is selected. 4. When you have completed your entries, right-click in the form header and select Save. 422

423 423

424 5. 6. The Workflows tab appears. It contains workflows that are run when all filter conditions or filter group conditions are met. To add workflows, perform these steps. a) In the Workflows tab, click Edit. b) Use the condition builder, if needed, to locate the workflows you want to select, or use the slushbucket to select workflows and move them to the Workflows List. c) Click Save. The selected workflows are added. Click Update. enrichment data mapping Enrichment Data Mapping transforms data from XML, JSON, or Properties files to records. workflows use enrichment data maps and provide output data to security incidents. includes several enrichment data maps, triggered by various workflows, for example, NetStatEnrichment, and Running Processes - WMI Enrichment. Enrichment data map output from Security Operations workflows is displayed in the Enrichment Data tab on the security incident form. See Create a enrichment data map on page 424 for more information. Create a enrichment data map Transform data from JSON, XML, or Properties file format to records using enrichment data maps. Role required: sn_sec_cmn.write Existing enrichment data maps are used by workflows provided within. You can view the list under Enrichment Data Mapping. To use a map, you need a trigger, either a business rule or workflow Navigate to > Utilities > Enrichment Data Mapping. Click New. Fill in the fields, as appropriate. Table 222: Creating an enrichment data map Field Name Name of this enrichment data map. of the data map. Input format Choose a format from the list: JSON (default) XML Properties File format 424

425 Field Prefix key Use to limit the input data set to a specified key. The root of the input data set is set to this key. In this example, if you entered file_info, then the input values would be limited to those values within file_info. <?xml version="1.0" encoding="utf-8"?> <malware> <version>2.0</version> <file_info> <malware>yes</malware> <sha1>24c e10451a53893fed3aa5d80bfb1f6</ sha1> <filetype>pe</filetype> <sha256>be9bd e2d967feef8c8c5b8c4d73b621584fb11eb68434da1 sha256> <md5>ee8c91751b3010e38c479cf9ab09827a</md5> <size>546304</size> </file_info> </malware> Target table Choose a table from the list. Active When checked, this mapping is available for use. Click Submit. The Enrichment Data Mapping Fields tab appears. Click New. Fill in the fields on the form, as appropriate. Table 223: Enrichment data mapping fields Field Mapping Name of the enrichment data map. Target table The table the fields to map come from. Transform type Choose from the list: Populate target field with field value Populate target field with static value Populate target field with static value plus field value Field is an array or object (raw data nesting) Each choice has different entries. Target field values, and arrays, or objects require a Property key. 7. Property key Determines the key for the input data search and the value written to the target field. Target field Choose the field to write to from the list. Target Mapping Used with the Field is an array or an object (raw data nesting) transform type. Choose an existing mapping or create another mapping. This target map becomes a child of the current map. Click Submit. 425

426 The following is an example of an enrichment data map. 426

427 427

428 field mapping tables can be mapped to and from other tables linking a security incident to a customer service case to other parts of the system. For instance, you can integrate a plugin to a Security Incident Response task. Field mapping requires advanced technical knowledge of scripting and creating triggers for the scripts (business rules, UI action, workflows, and so on). Contact your Account Representative for more information. Map tables to tables with field mapping provides you with finer field mapping granularity so you can map a Security Operations table to any other table. Role required: sec_cmn.write Note: Field mapping requires advanced technical knowledge of scripting and creating triggers for the scripts (business rules, UI action, workflows, and so on). Contact Professional Services for more information Navigate to > Utilities > Field Mapping. Click New. Fill in the fields on the form, as appropriate. Table 224: Field mapping Field Name The name of the field map. for the field map. Source table The table that provides the data to use to create a record in the Target table. Target table The table where new records are created. Active Select this check box to activate the mapping. Note: Only one mapping between tables can be active at a time. If two maps contain the same tables, then the older version is automatically deactivated Click Submit. Field Mapping Fields tab appears. Click New. Fill in the fields on the form, as appropriate. 428

429 Table 225: Field mapping field Field Transform type The type of transform used between source field data and target field data. Choose the transform type: Populate target field with source field value For example, map State to Severity field. Note: Source and target field types must correspond to each other. For example, State is an integer. It can only be mapped to other integers. 7. Add as a new line on the target field. For example, map assignment_group to work notes. Static value For example, 215 to order. Static value plus display field value. For example, map "Your domain is: Domain to Domain. Source table The table the mapping came from. Source Field Choose the field to read from. Application Identified scope. Field Mapping Name of the field mapping file. Target table The table where new records are created. Target field Choose the field to write to. Click Submit. Search You can find information quickly in any application using the search icon in the screen header. Zing is the text indexing and search engine that performs all text searches in your instance. Role required: sn_si.read or higher Click the search icon ( ) in the upper right-hand corner of the screen. Type in the criteria you want to search by, and press Enter. If you have the Security Incident Response plugin activated, the search criteria you entered present any matching short description text, CIs, IP addresses, or URLs in your security incidents, Security Incident Response tasks, or security requests. If you have the Vulnerability Response or Threat 429

430 Intelligence plugins activated, the search results include vulnerabilities, vulnerable items, vulnerable entries, observables, IoCs, and attack mode/methods. orchestration Orchestration activities allow users to interact with and retrieve data from Windows or UNIX-based systems and environments using workflows. Orchestration saves time by eliminating manual processes and obtaining contextual information to remediate incidents. The products have standard activity packs and workflows that are included and activated in each of the plugins. Purchase a full orchestration license to create and access additional orchestration activities that are not available as a standard offering with the products. Security Incident Response Orchestration workflows: Threat Intelligence Orchestration workflows: Retrieve network statistics with the Get Network Statistics workflow on page 105 Retrieve running processes with the Get Running Processes workflow on page 107 Create IoC Lookup Request for IoC Changes workflow on page 104 Get Threat Details and Delete workflow on page 109 Return Details from Exchange workflow on page 114 Return Total s Found in Exchange workflow on page 119 Search and Delete Threat s workflow on page 124 Threat Intelligence - Run IoC Lookup workflow on page 242 Update security incident with lookup results workflow on page 434 Vulnerability Response Orchestration workflows: Scan vulnerability workflow on page 430 Scan vulnerable item workflow on page 432 orchestration workflows Several workflows are included with. Scan vulnerability workflow The Vulnerability Response > Scan Vulnerability workflow rescans a vulnerability group. sn_si.admin This workflow is triggered by Rescan vulnerable group during a Close/Ignore action. Workflow process activities include: Create Scan Record for Vulnerabilities activity on page 195 Log Message 430

431 Navigate to Vulnerability > Vulnerabilities > Vulnerability Groups. Open a vulnerability group. Click Close/Ignore. Choose Closed for the Desired State. Choose Fixed for the Substate. Choose Wait for confirmation from the next scan for Close now? 431

432 For the vulnerability group and vulnerable items, the State changes to Pending Confirmation, the Substate changes to Fixed and a rescan runs. Scan vulnerable item workflow TheVulnerable Response > Scan Vulnerability Item workflow rescans a vulnerable item. sn_si.admin This workflow is triggered by Rescan vulnerability, during a Close/Ignore action. Workflow process activities include: Create Scan Record for Vulnerabilities activity on page 195 Log Message 432

433 Navigate to Vulnerability > Vulnerabilities > Vulnerable Items. Open a vulnerability item. Click Close/Ignore. Choose Closed for the Desired State. Choose Fixed for the Substate: The State of the group changes to Pending Confirmationand the Substate changes to Fixed and a rescan runs. 433

434 Update security incident with lookup results workflow The Update security incident with lookup results workflow updates existing security incidents with lookup results. Role required: sn_si.basic This workflow is triggered by a business rule on the lookup table which monitors when the Result field changes to Failed. Workflow process activities include: Roll up lookup info to security incident activity on page 445 Update Task Worknotes activity on page 444 orchestration activities Many activities are included with for use in workflows. Create Enrichment Data records activity This workflow activity stores workflow output data in a table. The Create Enrichment Data records workflow activity can be used with any workflow to store workflow output data. It creates records on the sn_si_enrichment table. Input variables Input variables determine the initial behavior of the activity. 434

435 Table 226: Input variables Variable task_id [string] The task identifier (task_id) of a configuration item record. content [string] The raw data coming back from running workflows in a JSON-formatted string. This JSON string is used to populate this record and the related table (sn_si_enrichment_data) records. type [string] Values can either be process or netstat. ci [string] Configuration item. Output variables The output variables contain data that can be used in subsequent activities. Table 227: Output variables Variable result [string] JSON-formatted data that is parsed and stored in name/value pairs. 435

436 436