ThreatConnect and ServiceNow: More Integrations for Better Context

We’re strengthening our partnership with ServiceNow® by offering more robust integrations with the ServiceNow Orchestration and ServiceNow Security Operations products, as well as launching a new Playbook App for managing table records across all ServiceNow products.

With this update, we’ve added three types of integrations to the ServiceNow and ThreatConnect Platforms, each with its own specific capabilities. Let’s dive into each.

ThreatConnect Activity Pack for ServiceNow Orchestration

The ThreatConnect Activity Pack for ServiceNow Orchestration provides a set of activities that can be leveraged from ServiceNow Orchestration workflows to interact bidirectionally with ThreatConnect’s API and Playbooks.  These activities provide a broad set of functionality that can be used for automating processes associated with security operations and incident response. Think of it as predetermined automation actions that will allow ServiceNow analysts like you to interact with ThreatConnect in a variety of ways:

  • Create ThreatConnect Incident – This activity creates an Incident in ThreatConnect
  • Create ThreatConnect Indicator – This activity creates an Indicator in ThreatConnect
  • Get ThreatConnect Incident – This activity retrieves  an Incident from ThreatConnect
  • Get ThreatConnect Indicator – This activity retrieves an Indicator from ThreatConnect
  • Filter ThreatConnect Indicators – This activity retrieves multiple Indicators from ThreatConnect
  • ThreatConnect API Client –  This activity provides general-purpose access to the ThreatConnect API
  • Run ThreatConnect Playbook – This activity triggers a ThreatConnect Playbook with an HttpLink Trigger

Now, you are able to look up intelligence in ThreatConnect and use the results in ServiceNow Orchestration workflows. You can also create ThreatConnect tasks and incidents from ServiceNow and share ServiceNow Incidents and Observables back to ThreatConnect to generate new intelligence which enables a feedback loop.

For those of you focused on security operations or incident response related tasks,  you are now able to trigger a Playbook in ThreatConnect from a ServiceNow workflow. Then you can use the results to make further decisions in ServiceNow or update the incident for review, ultimately increasing confidence in automated decisions by leveraging ThreatConnect’s intelligence collection as part of containment and response actions.

ThreatConnect App for ServiceNow Security Operations

The ThreatConnect App for ServiceNow Security Operations allows Threat Lookup and Observable Enrichment capabilities against ThreatConnect intelligence and analytics collections. These features give those of you working inside ServiceNow the information you need to get relevant and actionable insights from intelligence sources within the ThreatConnect Platform. The app will allow you to enrich observables which will provide detailed context from ThreatConnect in an enrichment table. It will also allow you to perform Threat Lookups and will produce malicious or unknown ratings automatically.

This means that you can operationalize Intelligence from the ThreatConnect Platform in other parts of the security organization and you can provide the information you need to get relevant and actionable insights from intelligence sources within the ThreatConnect Platform.

ServiceNow Playbook App for ThreatConnect

In addition to the added capabilities that can be leveraged from the ServiceNow Platform’s UI, we’ve also updated the ServiceNow Playbook App for ThreatConnect. All straight from ThreatConnect, you’re provided with a set of actions to work with ServiceNow table records and attachments.  These actions provide the key building blocks for automating processes between ThreatConnect and ServiceNow.

The following actions are available:

  • List Table Records
  • Get Table Records
  • Create Table Records
  • Update Table Records
  • Add Attachment

This means that you can now manage any ServiceNow table record — built-in or custom — as part of a
ThreatConnect Playbook.  Security processes vary greatly from organization to organization and even team to team.  It was important to match the flexibility of ServiceNow with our Playbook app so that you can automate nearly any process that interacts with ServiceNow from within ThreatConnect.

If you have any questions, please reach out to us at sales@threatconnect.com. Current customers can contact their Customer Success Engineer for any questions.

About the Author
Jeff Quist

Jeff Quist, Product Marketing Manager at ThreatConnect, has 8 years of experience in Sales, Marketing, Product Management, and Product Marketing, mainly in technology and financial services. His professional experience and empathy for customers and partners help him to develop engaging marketing content and empower sales teams. Originally from Massachusetts, Jeff recently moved to Washington DC after spending 7 years in New York City. In his free time, Jeff enjoys sketching, reading Science Fiction novels, and supporting the Boston Bruins.