{ "version": "3.0", "name": "ServiceNow_Security_Incendent_Events", "comment": "Create an incident by a DNS security events", "type": "REST_EVENT", "event_type": [ "RPZ", "TUNNEL" ], "action_type": "Incidents", "content_type": "application/json", "vendor_identifier": "ServiceNow", "quoting": "XMLA", "instance_variables": [ { "name": "Severity", "type": "INT", "value": "3" } ], "steps": [ { "name": "assignTimeValue", "operation": "NOP", "body_list": [ "${XC:COPY:{L:ServiceNowAddDate}:{UT:TIME}}${XC:FORMAT:TRUNCATE:{L:ServiceNowAddDate}:{10t}}" ] }, { "name": "check for IPv6", "operation": "CONDITION", "condition": { "statements": [ { "left": "${E::source_ip}", "op": "=~", "right": ":" } ], "condition_type": "AND", "next": "Get IPv6Fixed _ref" } }, { "name": "Get IPv4Fixed _ref", "operation": "GET", "transport": { "path": "fixedaddress?ipv4addr=${E:U:source_ip}&network_view=default&_return_fields=extattrs" }, "wapi": "v2.7" }, { "operation": "CONDITION", "name": "wapi_response_getIPv4Fix_ref", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": "" } ], "next": "Get_Objref" } }, { "name": "Get HostIPv4 _ref", "operation": "GET", "transport": { "path": "record:host?ipv4addr=${E:U:source_ip}&network_view=default&_return_fields=extattrs" }, "wapi": "v2.7" }, { "operation": "CONDITION", "name": "wapi_response_getIPv4Host_ref", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": "" } ], "next": "Get_Objref", "else_stop": true } }, { "name": "Get IPv6Fixed _ref", "operation": "GET", "transport": { "path": "ipv6fixedaddress?ipv6addr=${E:U:source_ip}&network_view=default&_return_fields=extattrs" }, "wapi": "v2.7" }, { "operation": "CONDITION", "name": "wapi_response_getIPv6Fix_ref", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": "" } ], "next": "Get_Objref" } }, { "name": "Get HostIPv6 _ref", "operation": "GET", "transport": { "path": "record:host?ipv6addr=${E:U:source_ip}&network_view=default&_return_fields=extattrs" }, "wapi": "v2.7" }, { "operation": "CONDITION", "name": "wapi_response_getIPv6Host_ref", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": "" } ], "next": "Get_Objref" } }, { "name": "Get_Objref", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:PARSE[0]{_ref}}", "op": "!=", "right": "" } ], "eval": "${XC:COPY:{L:Obj_ref}:{P:PARSE[0]{_ref}}}" } }, { "name": "Assign location variable", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${P:A:PARSE[0]{extattrs}{ServiceNow_Location}{value}}", "op": "==", "right": "" } ], "eval": "${XC:ASSIGN:{L:Location}:{S:Unknown}}", "else_eval": "${XC:COPY:{L:Location}:{P:PARSE[0]{extattrs}{ServiceNow_Location}{value}}}" } }, { "name": "jump if no Obj_ref", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${L:A:Obj_ref}", "op": "==", "right": "" } ], "next": "check rpz or tunnel to assign query name" } }, { "name": "stop if no extattrs", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${P:A:PARSE[0]{extattrs}{ServiceNow_Add_Incident}{value}}", "op": "==", "right": "" } ], "stop": true } }, { "name": "assignRecordValues", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${P:A:PARSE[0]{extattrs}{ServiceNow_LastIncidentSentAt}{value}}", "op": "==", "right": "" } ], "eval": "${XC:ASSIGN:{L:ServiceNowAddDateRecorded}:{S:NONE}}", "else_eval": "${XC:COPY:{L:ServiceNowAddDateRecorded}:{P:PARSE[0]{extattrs}{ServiceNow_LastIncidentSentAt}{value}}}${XC:FORMAT:TRUNCATE:{L:ServiceNowAddDateRecorded}:{10t}}" } }, { "name": "check If Scan Happened today", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${P:A:PARSE[0]{extattrs}{ServiceNow_Add_Incident}{value}}", "op": "==", "right": "false" }, { "left": "${L:A:ServiceNowAddDateRecorded}", "op": "==", "right": "${L:A:ServiceNowAddDate}" } ], "stop": true } }, { "name": "check rpz or tunnel to assign query name", "operation": "CONDITION", "condition": { "statements": [ { "left": "${E::event_type}", "op": "==", "right": "RPZ" } ], "condition_type": "AND", "eval": "${XC:COPY:{L:query_name}:{E:query_name}}", "else_eval": "${XC:COPY:{L:query_name}:{E:domain_name}}" } }, { "name": "set threatActionTaken threatHandled", "operation": "CONDITION", "condition": { "statements": [ { "left": "${E::rpz_policy}", "op": "==", "right": "PASSTHRU" } ], "condition_type": "AND", "eval": "${XC:ASSIGN:{L:threatActionTaken}:{S:Recorded}}", "else_eval": "${XC:ASSIGN:{L:threatActionTaken}:{S:Blocked}}" } }, { "name": "Create an incident", "operation": "POST", "parse": "JSON", "transport": { "path": "/api/now/v2/table/sn_si_incident" }, "body_list": [ "{", "\"category\":\"Malicious code activity\",", "\"subcategory\":\"Worm, virus, Trojan\",", "\"description\":\"Client ${E:A:source_ip} accessed restricted domain ${L:A:query_name} and this was ${L:A:threatActionTaken} by Infoblox appliance with IP:${E:A:member_ip}\",", "\"short_description\":\"Client ${E:A:source_ip} accessed restricted domain ${L:A:query_name} and this was ${L:A:threatActionTaken} by Infoblox appliance with IP:${E:A:member_ip}\",", "\"severity\":\"${I:A:Severity}\",", "\"u_Location\":\"${L:A:Location}\",", "\"contact_type\":\"Network Monitoring\",", "\"sys_created_by\":\"NIOS Outbound API\",", "\"work_notes\":\"event type: ${E:A:event_type}, RPZ policy: ${E:A:rpz_policy}, RPZ severity: ${E:A:rpz_severity}, Query name: ${E:A:query_name}\"", "}" ] }, { "name": "Incident creation error check", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${R:A:RC}", "op": "!=", "right": "201" } ], "error": true } }, { "name": "Get the incident", "operation": "GET", "parse": "JSON", "transport": { "path": "/api/now/v2/table/sn_si_incident?number=${P:U:result{number}}" } }, { "name": "set time incedent was created to a variable", "operation": "NOP", "body_list": [ "${XC:COPY:{L:TimeIncidentCreated}:{P:result[0]{sys_created_on}}}", "${XC:COPY:{L:IncidentSysID}:{P:result[0]{sys_id}}}", "${XC:COPY:{L:number}:{P:result[0]{number}}" ] }, { "name": "GET Observable to check if it exists", "operation": "GET", "parse": "JSON", "transport": { "path": "/api/now/v2/table/sn_ti_observable?sysparm_query=value=${L:A:query_name}" } }, { "name": "check if there are any Observables", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:result[0]{value}}", "op": "!=", "right": "" } ], "next": "Create an observable connection to Security incident with existant observable" } }, { "name": "Create an observable", "operation": "POST", "parse": "JSON", "transport": { "path": "/api/now/v2/table/sn_ti_observable" }, "body_list": [ "{", "\"value\":\"${L:A:query_name}\",", "\"type\":{", "\"value\":\"Domain name\"", "},", "\"sighting_count\":\"1\",", "\"finding\":\"Malicious\",", "\"notes\":\"bad domain\"", "}" ] }, { "name": "Create an observable connection to Security incident", "operation": "POST", "parse": "JSON", "transport": { "path": "/api/now/v2/table/sn_ti_m2m_task_observable" }, "body_list": [ "{", "\"observable\":\"${P:A:result{sys_id}}\",", "\"task\":\"${L:A:IncidentSysID}\"", "}" ] }, { "name": "skip connecting a second observable", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "1", "op": "==", "right": "1" } ], "next": "Get CMDB_CI assets" } }, { "name": "Create an observable connection to Security incident with existant observable", "operation": "POST", "parse": "JSON", "transport": { "path": "/api/now/v2/table/sn_ti_m2m_task_observable" }, "body_list": [ "{", "\"observable\":\"${P:A:result[0]{sys_id}}\",", "\"task\":\"${L:A:IncidentSysID}\"", "}" ] }, { "name": "Get CMDB_CI assets", "operation": "GET", "parse": "JSON", "transport": { "path": "/api/now/v2/table/cmdb_ci?sysparm_query=ip_address=${E:A:source_ip}&sysparm_fields=sys_id,ip_address" } }, { "name": "check if there are no assets", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${P:A:result[0]{sys_id}}", "op": "==", "right": "" } ], "next": "jump if no Obj_ref2", "else_eval": "${XC:COPY:{L:Assets}:{P:result}}" } }, { "name": "Pop_Assets", "operation": "VARIABLEOP", "variable_ops": [ { "operation": "UNSHIFT", "type": "DICTIONARY", "destination": "L:TempAssets", "source": "L:Assets" } ] }, { "name": "Add an asset to the security incident", "operation": "PUT", "parse": "JSON", "transport": { "path": "/api/now/v2/table/sn_si_incident/${L:A:IncidentSysID}" }, "body_list": [ "{", "\"cmdb_ci\":\"${L:A:TempAssets{sys_id}}\"", "}" ] }, { "name": "check if there are any more assets", "operation": "CONDITION", "condition": { "condition_type": "AND", "statements": [ { "left": "${L:A:Assets[0]{sys_id}}", "op": "!=", "right": "" } ], "next": "Pop_Assets" } }, { "name": "jump if no Obj_ref2", "operation": "CONDITION", "condition": { "condition_type": "OR", "statements": [ { "left": "${L:A:Obj_ref}", "op": "==", "right": "" } ], "next": "done" } }, { "name": "Update timestamp and system ID", "operation": "PUT", "transport": { "path": "${L:A:Obj_ref}" }, "wapi": "v2.7", "wapi_quoting": "JSON", "body_list": [ "{\"extattrs+\":{\"ServiceNow_LastIncidentSentAt\": { \"value\": \"${L:A:TimeIncidentCreated}\"},\"ServiceNow_Event_ID\": { \"value\": \"${L:A:number}\"}}}" ] }, { "name": "done", "operation": "NOP", "body": "" } ] }