Snow IOC Ingestion 1.2.1
- 30 Mar 2022
- 1 Minute to read
- DarkLight
- PDF
Snow IOC Ingestion 1.2.1
- Updated on 30 Mar 2022
- 1 Minute to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
tags: Automation | Service Now | IOC | Ticket Generation | Python
Description
Snow IOC Ingestion automation supports CDC users by automating the creation of tickets in clients’ ServiceNow ticketing system. This occurs each time the IOC file is received/uploaded to the CDC.
The input IOC file is read for threat information related to IP addresses, URLs, or domains. Once the threat information is available, it is passed to ServiceNow via a custom API to create the ticket. Once the ticket is generated in ServiceNow, the ticket number is updated back in the CDC.
This automation has helped save the manual effort and time involved in creating tickets on the clients’ end. This is especially beneficial for requesting changes in the Palo Alto Firewalls rule configurations, to block threats based on the IOC.
| Integration Type: | Automation |
| Information read: | IP/URL/Domain Threat Information from IOC file shared by CTI team. |
| API Supported: | Custom API |
| Input: | CSV File containing IOC information |
| Output: | Ticket created in ServiceNow of client and Ticket Number updated in CDC. |
CDC Command Lines
- ioc_ingestion_cli
The CLI of the CDC, to ingest IOCs in ServiceNow. While running the CLI, enter Incident ID or Channel ID (in CDC version < 2.2).
| Option | Type | Description | Required |
|---|---|---|---|
| cdc_incident_key | string | Human readable CDC incident ID | False |
| cdc_channel_id | string | Human readable CDC channel ID | False |
| file_name | string | The name of the file whose IOC data needs to be extracted. | True |
Workflows
- ioc-ingestion
This workflow is used to ingest IOCs in ServiceNow.
Rules
No rules
Sensors
No sensors
Triggers
No triggers
Known Issues
No known issues
Was this article helpful?