logo

NJP

← Back to News

Using flow designer to build custom REST API Threat Intel enrichments (Example Cisco ThreatGrid Domain lookup)

Import · Jun 25, 2019 · article

In this article I will walkthrough and example showing how Flow Designer subflows can be used to create custom REST API Threat Intel enrichments and execute them using a UI Action button.

The end goal of this configuration is to have a ThreatGrid Lookup UI action button on the Security Incident Form which:

  1. Searches related URL’s or Domain type observables;
  2. Performs a lookup of these in ThreatGrid;
  3. Parses the results back into the Threat Lookup Results table.

The configuration of this example includes the following building blocks:

  1. Flow Designer SubFlow
  2. Flow Designer Action
  3. Threat Intel Enrichment Mapping Table
  4. UI Action

1. Flow Designer SubFlow

Flow Designer Subflows can be used without triggers allowing you to call them from other flows or another external trigger such as a UI action button.

1.1. Configuration of "Subflow" and "Lookup Records" action

image

1.2. Configuration of "For Each" and "Look Record" action

image

2. Flow Designer Action

Now that the Subflow is configured, we must create an action that performs the REST api call, retrieves the results and manipulates values so they are ready to be inserted into the Threat Lookup Results table.

2.1. Configuration of action input variables

image

2.2. Configuration of REST step

image

2.3. Configuration of Script input variables

image

2.4. Configuration of Script

image

image

Used code:

(function execute(inputs, outputs) {

//obtain responsebody and parse results  
var responseBody = JSON.parse(inputs.responsebody);
 if(inputs.status!=200){
   var errorMsg = responseBody.error.message;
   var errorDetail = responseBody.error.detail;
   throw "Error retrieving threat grid. Message: "+errorMsg + " Details:"+errorDetail;
 }
 //obtain current_item_count 
 else { 
    var result = responseBody.data.current_item_count;
 } 

 if (result >=1){
    var finding = 'Malicious'; //if count >=1 set finding to Malicious
  }
  else { 
    var finding = 'Unknown'; //else finding = Unknown
 }  

var id = inputs.observable_id.toString(); //obtain observable sys_id   
var url = '"' + 'https://panacea.threatgrid.com/mask/domains/' + inputs.domain_value + '"'; //obtain observable value and create url
var record_id = inputs.task_id; //obtain security incident sys_id
var record_table = 'task';      //specify reference table
var response = inputs.responsebody.slice(1); //obtain responsebody and strip first { character
var response_content = '{"sys_id":' + id + ',' + '"finding":' + finding + ',' + '"url":' + url + ',' + response; //add observable sys_id & finding to rest response body
var enrichment_mapping_id = '026db246db7537000b3b5414dc961958'; //reference enrichment map for Threatgrid
var domain_id = 'global'; //specify domain for domain seperated environments
var ref_value = null; //specify reference value
var ref_table = 'null';  //specify reference table

//Execute Threat Intell enrichment script include function with varaibles  
var util = new sn_sec_cmn.EnrichmentDataUtil(domain_id);
var enrichmentId = util.createEnrichmentRecordsForRecord(record_id, record_table, response_content, enrichment_mapping_id, 'Workflow', ref_value, ref_table);  

})(inputs, outputs);

3. Adding action to Subflow

After creating the action it can be added to the subflow.

image

4. Configuring an Enrichment Map for parsing results

In other to parse the JSON response into the required target table (sn_ti_lookup_results) SecOps allows the usage of Enrichment Data Mappings. These mappings are similar to platform transform maps allowing you to configure how and what data fields you like to be populated.

The enrichment maps are referenced by the "sn_sec_cmn.EnrichmentDataUtil" script include.

image

image

5. Configuration of UI action

When the subflow, action & enrichment map are configured, the last step is to configure the UI Action Button.

To call the subflow in a UI action you must first modify the security settings of the flow:

image

After this you can copy the required client or sever side code and use it within a UI action, Business Rules etc. In this case we will be using the server side code:

image

Noe lets create a New UI action on the sn_si_incident table as shown below:

image

6. Setup Results

6.1. Security incident with Lookup Button available

image

6.2. Related observables

image

6.3. When clicking the ThreatGrid button, new Threat Lookup Results are added

image

6.4 Example of ThreadGrid retrieved information

image

View original source

https://www.servicenow.com/community/secops-articles/using-flow-designer-to-build-custom-rest-api-threat-intel/ta-p/2316027