ServiceNow | Configure | Prepare ServiceNow#

Install the EIQ IC application#

  1. In your ServiceNow instance, select All to open the filter box.

  2. Go to System Definition > Plugins.

  3. Install the following two ServiceNow Products:

    • Security Incident Response

    • Threat Intelligence

  4. Restart your ServiceNow instance.

  5. Navigate to System Applications > All Available Applications > Available To Obtain From Store.

  6. Install the EclecticIQ Intelligence Center application for ServiceNow.

Configure the EIQ IC application#

  1. In your ServiceNow instance, select All to open the filter box.

  2. Go to Security Operations > Integrations > Integration Configurations.

  3. Under EclecticIQ Intelligence Center, click on Configure.

  4. Fill in fields. Fields with * are required.

Field

Description

Example

EclecticIQ Intelligence Center (EIQ IC) server URL *

URL of IC instance

https://my-ic-instance>.com

API Token *

Generated in the previous step from the Account page in EIQ IC.

API version (v1/v2) *

Version of the Intelligence Center public API being used.

v2

Enable automatic Observable lookup

Enable or disable automatic lookup of Observables in EIQ IC.

True

Security Incident State ID

State that will trigger automatic export of Security Incident to EIQ IC.

3

Automatically create Sightings from security incidents

Enable or disable automatic creation of Sightings in EIQ IC.

True

Automatically create Reports from security incidents

Enable or disable automatic creation of Reports in EIQ IC.

True

EIC Outgoing Feed IDs

Comma-separated list of IDs of EIQ IC Outgoing feeds created while preparing the Intelligence Center.

6,7

Manage user roles#

Assign the appropriate roles to to your users in ServiceNow so they can interact with the EIQ IC App.

Role

Authorized actions

x_1088979_eclectic.action

Can perform actions provided by the EIQ IC integration.

x_1088979_eclectic.view

Can read data from EIQ IC integration tables.

x_1088979_eclectic.create

Can create data from EIQ IC integration tables.

x_1088979_eclectic.update

Can update data from EIQ IC integration tables.

x_1088979_eclectic.delete

Can delete data from EIQ IC integration tables.

x_1088979_eclectic.eiq_observable_user

Can create, view, update, and delete eiq_observable_user records.

x_1088979_eclectic.eiq_source_user

Can create, view, update, and delete eiq_source_user records.

x_1088979_eclectic.feed_data_history_user

Can create, view, update, and delete feed_data_history_user records.

x_1088979_eclectic.admin

Has administrator access to the EIQ IC integration.

Define Observable type mapping#

In ServiceNow there is a mapping of Observable types in ServiceNow to EIQ IC Observable types. You can change this mapping. This is only necessary if you will be using the Observable export or Observable lookup and the default mappings are different than you require.

  1. In your ServiceNow instance, select All to open the filter box.

  2. Go to EclecticIQ Intelligence Center > EIQ IC Observable Type Mappings.

  3. In the EIQ Observable Type column, select an Observable type you’d like to remap.

  4. Select a new TI Observable Type or EIQ Observable Type.

  5. Select the Update button.

Next step#

Start using the integration

The next step is to start using the integration.