Snow IOC Ingestion 1.3.0
- 02 Apr 2025
- 1 Minute to read
- DarkLight
- PDF
Snow IOC Ingestion 1.3.0
- Updated on 02 Apr 2025
- 1 Minute to read
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Snow IOC Ingestion - 1.3.0
tags: Automation | Service Now | IOC | Ticket Generation | Python
Table of Contents
Description
Snow IOC Ingestion automation supports CDC users by automating the creation of tickets in clients’ Service Now ticketing system. This occurs each time the IOC file is received/uploaded to the CDC.
The input IOC file is read for threat information related to IP addresses, URLs or domains. Once the threat information is available, it is passed to Service Now via a custom API to create the ticket. Once the ticket is generated in Service Now, the ticket number is updated back in the CDC.
This automation has helped save the manual effort and time involved in creating tickets on the clients’ end. This is especially beneficial for requesting changes in the Palo Alto Firewalls rule configurations, to block threats based on the IOC.
| Integration Type: | Automation |
| Information read: | IP/URL/Domain Threat Information from IOC file shared by CTI team. |
| API Supported: | Custom API |
| Input: | CSV File containing IOC information |
| Output: | Ticket created in Service Now of client and Ticket Number updated in CDC. |
CDC Command Lines
* **ioc_ingestion_cli**
The CLI of the CDC, to ingest IOCs in ServiceNow. While running the CLI, enter Incident ID or Channel ID (in CDC version < 2.2).
| Option | Type | Description | Required |
|---|---|---|---|
| cdc_incident_key | string | Human readable CDC incident ID | False |
| cdc_channel_id | string | Human readable CDC channel ID | False |
| file_name | string | The name of the file whose IOC data needs to be extracted. | True |
Workflows
* **ioc-ingestion**
This workflow is used to ingest IOCs in ServiceNow.
Rules
No rules
Sensors
No sensors
Triggers
No triggers
Known Issues
Was this article helpful?