The ServiceNow Integration for Threat Escalation capability for enterprise accounts using Intezer Autonomous SOC.
To enhance incident response capabilities, Intezer offers integration with ServiceNow, a leading IT service management platform. This integration enables organizations to set up a robust workflow for threat escalation, facilitating faster incident resolution and improved security posture.
Example incident created by the integration:
Technical Overview
Intezer will send alert data to ServiceNow via a dedicated Scripted REST API that will store the alert data in a dedicated table for Intezer's alerts. A Transform Map will map records from Intezer's alerts table into the Incidents or Security Incidents tables.
This approach allows to customize and adjust the new incident records according to the organization needs and policies.
Create the integration components in ServiceNow
The following instructions will describe how to create the required components in ServiceNow for the integration.
Notice: If not specified otherwise, set fields that are not explicitly mentioned according to your organization policy.
- Create Intezer's alerts table
- Create a user
- Create a Scripted REST API
- Create a Transform Map
- Test the integration
- Send integration details to Intezer
Create Intezer's alerts table
- Go to System definition > Tables and click New
- Set the following information:
Label Intezer AlertsName u_intezer_alertsExtends table Import Set Row - Go to the Columns tab and double-click Insert a new row...
- Set the following information:
Column label alertType StringMax length 100000 - Go to the Application Access tab and select the following options:
- Can read
- Can create
- Allow access to this table via web services
- Click on Submit
- To verify the table was created go back to System definition > Tables and search for the Intezer Alerts table (by Label)
Create a user
- Go to System Security > Users and Groups > Users and click New
- Set the following information:
User ID intezerFirst name IntezerActive (Checkbox) TrueWeb service access only (Checkbox) True - Click Submit
- Open the created user properties
- Click on Set Password
- Generate a password and click Save Password
- 💡 Store the password in a secured location, you will need it in a later step
- 💡 Store the password in a secured location, you will need it in a later step
- Go to the Roles tab and click Edit
- Add the u_intezer_alerts_user role and click Save
- Click on Update in the user properties page
Create a Scripted REST API
- Go to System Web Services > Scripted Web Services > Scripted REST APIs and click New
- Set the following information:
Name IntezerAPI ID intezer - Click Submit
- Open the created API
- Go to the Resources tab and click New
- Set the following information:
Name AlertsActive (Checkbox) TrueHTTP method POSTRelative path /alertsScript (function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
var result = new global.JSON();
var alerts = new GlideRecord("u_intezer_alerts");
alerts.initialize();
alerts.newRecord();
alerts.setValue('u_alert', JSON.stringify(request.body.data));
var insert_result = alerts.insert();
result['insert_result'] = insert_result;
return result;
})(request, response); - Set the following information in the Security section:
Required authentication (Checkbox) TrueRequires ACL authorization (Checkbox) TrueACLS Scripted REST External Default
Create a Transform Map
Notice: This section provide an example for a Transform Map that maps Intezer's alerts into the Incident table. You may implement the Transform Map differently according to your organization needs.
- Go to System Import Sets > Administration > Transform Maps and click New
- Set the following information:
Name Intezer AlertsSource table Intezer Alert [u_intezer_alerts]Target table Incident [incident]Active (Checkbox) True - Click Submit
- Open the created Transform Map and go to the Field Maps
- Click New, set Choice action to ignore, set the Source field and Target field, then click Submit:
Source field Target field Created byCaller - For each of the following fields, set Choice action to ignore (when applicable), set the Use source script checkbox, set the Source script and Target field, then click Submit:
Source script Target field answer = (function transformEntry(source) {
// Could be adjusted to the organization needs
return "Inquiry / Help";
})(source);Categoryanswer = (function transformEntry(source) {
return "New";
})(source);Stateanswer = (function transformEntry(source) {
// Could be adjusted to the organization needs
var parser = new JSONParser();
var alert = parser.parse(source.getElement("u_alert"));
if (alert.triage.risk_category == "critical") {
return 1; // high
}
else {
return 2; // medium
}
})(source);Urgencyanswer = (function transformEntry(source) {
// Could be adjusted to the organization needs
return 1; // high
})(source);Impactanswer = (function transformEntry(source) {
var parser = new JSONParser();
var alert = parser.parse(source.getElement("u_alert"));
// Could be adjusted to the organization needs
return "Escalated alert" + (alert.alert.device.hostname ? (" on " + alert.alert.device.hostname) : "");
})(source);Short descriptionanswer = (function transformEntry(source) {
var parser = new JSONParser();
var alert = parser.parse(source.getElement("u_alert"));
function optional(value) {
return value ? (Array.isArray(value) ? value.join(", ") : value ) : "N/A";
}
function desc_item(key, value) {
return key + ": " + optional(value);
}
// Could be adjusted to the organization needs
var description = [desc_item("Intezer alert URL", alert.intezer_alert_url),
desc_item("Alert ID", alert.alert.alert_id),
desc_item("Alert title", alert.alert.alert_title),
desc_item("Alert source", alert.source_display),
desc_item("Source alert URL", alert.alert.alert_url),
desc_item("Alert verdict", alert.triage_result.alert_verdict_display),
desc_item("Risk category", alert.triage_result.risk_category_display),
desc_item("Alert creation time", alert.alert.creation_time_display)];
if (alert.alert.device) {
description.push(desc_item("Hostname", alert.alert.device.hostname),
desc_item("OS name", alert.alert.device.os_name),
desc_item("OS type", alert.alert.device.os_type),
desc_item("Device ID", alert.alert.device.id));
}
description.push(desc_item("Response status", alert.response.status_display),
desc_item("Mitigation status", alert.alert.mitigation_status_display),
desc_item("User recommended actions", alert.response.user_recommended_actions_display),
desc_item("Alert descriptions", alert.alert.descriptions),
desc_item("Site", alert.alert.site_name),
desc_item("External account name", alert.alert.external_account_name),
desc_item("External severity", alert.alert.severity_display));
return description.join("\n");
})(source);Description - For the following field, set the Use source script checkbox, set the Coalesce checkbox, set the Source script and Target field, then click Submit:
Source script Target field answer = (function transformEntry(source) {
var parser = new JSONParser();
var alert = parser.parse(source.getElement("u_alert"));
return "intezer_alert:"+alert.alert.alert_id;
})(source);Correlation ID - If a popup message is displayed, with a title "Coalesce field not indexed", click OK
- If the popup message is not displayed, verify that the field is indexed by clicking on the Index Coalesce Fields link under Intezer Alerts Transform Map (under related links section)
- If the popup message is not displayed, verify that the field is indexed by clicking on the Index Coalesce Fields link under Intezer Alerts Transform Map (under related links section)
Test the integration
Example Webhook request body
💡Learn more about the available fields in the API docs
{
"intezer_alert_url": "https://analyze.intezer.com/alerts/1712212302503451234",
"source": "my_source",
"source_display": "My Source",
"alert": {
"alert_id": "1712212302503451234",
"alert_url": "https://myenv.myedr.com",
"alert_title": "wannacry.exe",
"device": {
"hostname": "my-pc-2",
"os_name": "Windows 11",
"os_type": "windows",
"id": "1628421234056811234"
},
"severity": "medium",
"severity_display": "Medium",
"mitigation_status_display": "Not Mitigated",
"descriptions": ["The majority of sections in this PE have high entropy, a sign of obfuscation or packing",
"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)"],
"creation_time_display": "19 Jun 23 | 21:53",
"site_name": "Acme HQ",
"external_account_name": "myaccountname"
},
"triage_result": {
"risk_category": "critical",
"risk_category_display": "Critical",
"alert_verdict": "confirmed_threat",
"alert_verdict_display": "Confirmed Threat",
"families": [{"familiy_name": "Wannacry",
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9"}],
"family_id": "1234",
"risk_score": 20,
"risk_level": "critical",
"threat_name": "Wannacry"
},
"response": {
"status": "escalated",
"status_display": "Escalated",
"user_recommended_actions": [{
"action_context": {
"process_id": 4321
},
"action_name": "Kill Process",
"action_key": "kill_process"
}],
"user_recommended_actions_display": "Kill Process"
}
}
Code samples
Python
# replace the url with the Scripted REST API created in your ServiceNow instance
url = 'https://SERVICE-NOW-INSTANCE.service-now.com/api/API namespace/intezer/alerts'
# test with intezer user to make sure it has the proper permissions
user = 'intezer'
pwd = 'password for intezer user'
alert = {
"intezer_alert_url": "https://analyze.intezer.com/alerts/1712212302503451234",
"source": "my_source",
"source_display": "My Source",
"alert": {
"alert_id": "1712212302503451234",
"alert_url": "https://myenv.myedr.com",
"alert_title": "wannacry.exe",
"device": {
"hostname": "my-pc-2",
"os_name": "Windows 11",
"os_type": "windows",
"id": "1628421234056811234"
},
"severity": "medium",
"severity_display": "Medium",
"mitigation_status_display": "Not Mitigated",
"descriptions": ["The majority of sections in this PE have high entropy, a sign of obfuscation or packing",
"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)"],
"creation_time_display": "19 Jun 23 | 21:53",
"site_name": "Acme HQ",
"external_account_name": "myaccountname"
},
"triage_result": {
"risk_category": "critical",
"risk_category_display": "Critical",
"alert_verdict": "confirmed_threat",
"alert_verdict_display": "Confirmed Threat",
"families": [{"familiy_name": "Wannacry",
"family_id": "0b13c0d4-7779-4c06-98fa-4d33ca98f8a9"}],
"family_id": "1234",
"risk_score": 20,
"risk_level": "critical",
"threat_name": "Wannacry"
},
"response": {
"status": "escalated",
"status_display": "Escalated",
"user_recommended_actions": [{
"action_context": {
"process_id": 4321
},
"action_name": "Kill Process",
"action_key": "kill_process"
}],
"user_recommended_actions_display": "Kill Process"
}
}
response = requests.post(url,
auth=(user, pwd),
json=alert)
if response.status_code != 200:
print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:', response.json())
exit()
# Decode the JSON response into a dictionary and use the data
data = response.json()
print(data)
cURL
curl "https://SERVICE-NOW-INSTANCE.service-now.com/api/API_ID/intezer/alerts" \ --request POST \ --header "Accept:application/json" \ --header "Content-Type:application/json" \
--data "{ \"intezer_alert_url\": \"https://analyze.intezer.com/alerts/1712212302503451234\", \"source\": \"my_source\", \"source_display\": \"My Source\", \"alert\": { \"alert_id\": \"1712212302503451234\", \"alert_url\": \"https://myenv.myedr.com\", \"alert_title\": \"wannacry.exe\", \"device\": { \"hostname\": \"my-pc-2\", \"os_name\": \"Windows 11\", \"os_type\": \"windows\", \"id\": \"1628421234056811234\" }, \"severity\": \"medium\", \"severity_display\": \"Medium\", \"mitigation_status_display\": \"Not Mitigated\", \"descriptions\": [\"The majority of sections in this PE have high entropy, a sign of obfuscation or packing\", \"This binary may contain encrypted or compressed data as measured by high entropy of the sections (greater than 6.8)\"], \"creation_time_display\": \"19 Jun 23 | 21:53\", \"site_name\": \"Acme HQ\", \"external_account_name\": \"myaccountname\" }, \"triage_result\": { \"risk_category\": \"critical\", \"risk_category_display\": \"Critical\", \"alert_verdict\": \"confirmed_threat\", \"alert_verdict_display\": \"Confirmed Threat\", \"families\": [{\"familiy_name\": \"Wannacry\", \"family_id\": \"0b13c0d4-7779-4c06-98fa-4d33ca98f8a9\"}], \"family_id\": \"1234\", \"risk_score\": 20, \"risk_level\": \"critical\", \"threat_name\": \"Wannacry\" }, \"response\": { \"status\": \"escalated\", \"status_display\": \"Escalated\", \"user_recommended_actions\": [{ \"action_context\": { \"process_id\": 4321 }, \"action_name\": \"Kill Process\", \"action_key\": \"kill_process\" }], \"user_recommended_actions_display\": \"Kill Process\" } }" \
--user 'intezer':'intezer user password'
Send integration details to Intezer
Send the following details to support@intezer.com so we could activate the Webhook requests:
- ServiceNow Instance
- Example: https://dev123456.service-now.com/
- Resource path of the Alerts resource created in Scripted REST API
- Password for the Intezer user created in Create a user
- Notice: Use a secured method to share the password. For example, use a service like https://yopass.se/