Iris Detect Integration for ServiceNow¶
Introduction¶
Iris Detect is an Internet infrastructure detection, monitoring, and enforcement tool built on the industry’s fastest and broadest domain discovery engine and the largest databases of domain data. Capturing key data on new domains and risk-scoring them within minutes of discovery, Detect is a game-changer for brand managers, digital risk and fraud prevention teams, and network defenders.
Fast New Domain Discovery¶
Iris Detect employs the most sophisticated and extensive new-domain discovery capabilities, across all TLDs globally. Domains are enriched with preliminary Whois, DNS, and Risk Score data. The Iris Detect for ServiceNow integration can create incidents as frequently as hourly, incidents containing mapped indicators of newly-discovered domains matching the monitored keywords.
Watch Suspicious Domains for Changes¶
Through actions or on the incidents directly, domains of interest may be added to Iris Detect’s Watchlist, which triggers automatic daily updates, looking for hosting infrastructure or webpage changes. These changes can be consumed as their own incidents or sent to a separate workflow, giving you the ability to track evolving threat campaigns, classify, and identify which domains are most likely to do harm.
Enable Effective Enforcement¶
Merely knowing about malicious infrastructure is not enough. Iris Detect offers impactful enforcement options: Block flagged domains from incidents directly or using actions. Additionally, blocked domains can appear on their own feed, enabling you to take scripted enforcement actions in your security controls. Take action by sending domains to Google Phishing Protection, which can block them in Chrome, Firefox, and Safari, among other browsers.
Prerequisites¶
App Dependencies¶
DomainTools Iris detect has dependency on the following application(s) that can be purchased separately.
System Plugin Dependencies¶
DomainTools Iris detect has dependency on the following system plugin(s) that need to be installed separately.
| Plugin ID | Name |
|---|---|
com.snc.si_dep |
Security Incident Response Dependencies |
com.snc.security_support.sir |
Security Incident Response support |
com.snc.security_support.core |
Security Support Core |
Application Installation¶
Once the prerequisites are in place, navigate to Security Operations > Integrations > Integrations Configurations and locate the DomainTools Iris Detect tile, and select Configure.
Application Configuration¶
In the DomainTools Iris Detect Configuration dialog box that is displayed, enter the following:
| Field | Note |
|---|---|
Username |
|
API key |
|
First Fetch |
Set to 3 days by default |
Risk Score Range |
Filters on domains with a risk score in different ranges: [0-0, 1-39, 40-69, 70-99, 100-100]. By default all risk scored domains will be fetched. |
Include Domain Data |
Includes DNS and Whois details, by default it is set to true. |
The Scheduled Job¶
By default, the integration is set to run every 4 hours as a ServiceNow Scheduled Job. To change the frequency of the job:
- Search for
Scheduled jobs->DomainTools Iris Detect. - Change the frequency in the the DomainTools Scheduled script.
Iris Detect Data Ingestion¶
Once the configuration is complete, the integration will start pulling all the new, watched domains and will be ingested into the ServiceNow platform as shown below. On every successful run of the integration, 3 incidents will be created for new, changed, and blocked domains if the API returns the data.
Related Lists¶
The integration needs the following related lists to be configured.
- DomainTools Iris Detect New Domains
- DomainTools Iris Detect Changed Domains
- DomainTools Iris Detect Blocked Domains
Each incident will be associated with the related list accordingly, new domains incident the “DomainTools Iris Detect New Domains” related list will be populated. Users can change the state of the domain from this related list, by clicking on the item and modifying the state.
Flow Designer Actions¶
The following Actions are included as part of the integration, these actions can be added to any flow enabling process analysts to automate Now Platform features without having to write code.
Get DomainTools Iris Detect Blocked Domains¶
This action allows you to retrieve domains that your organization has escalated as blocked, matching all of your monitored terms, or a specific term specified by a monitor_id.
Get DomainTools Iris Detect Escalated Domains¶
This action allows you to retrieve domains that your organization has escalated to Google Safe Browsing, matching all of your monitored terms, or a specific term specified by a monitor_id.
Get DomainTools Iris Detect Ignored Domains¶
This action allows you to retrieve domains that your organization has marked as ignored, matching all of your monitored terms, or a specific term specified by a monitor_id.
Get DomainTools Iris Detect Monitor List¶
This action allows users to retrieve the list of monitored terms and respective IDs associated with your organization's Iris Detect account. New terms can only be set up and configured directly within the Iris Detect UI at https://iris.domaintools.com/detect/. The results are limited to 100 monitors if include_counts is True, or 500 otherwise.
Get DomainTools Iris Detect New Domains¶
This action allows you to retrieve new domains matching all of your monitored terms, or a specific term specified by a monitor_id.
Get DomainTools Iris Detect Watched Domains¶
This action allows you to retrieve changes to the domains that have been marked as “watched” by users of your organization, matching all of your monitored terms, or a specific term specified by a monitor_id.
DomainTools Iris Detect Block Domains¶
Mark a given domain as blocked, which allows a script against the Iris Detect API to pass these domains on to other teams or security controls within your organization to block them in email,
web, or other filtering controls.
DomainTools Iris Detect Escalated Domains¶
Reports a domain to Google's Safe Browsing API. After approval, their block list is picked up by Chrome and most modern browsers.
DomainTools Iris Detect Watch Domains¶
Mark a given domain as watched, which will trigger more frequent scanning by DomainTools automation.
DomainTools Iris Detect Ignore Domains¶
Ignore a given domain, removing it from new and block lists, if applicable.