User Manual

DeCYFIR ServiceNow

Introduction

This User Manual serves as a guide for users to access and leverage DeCYFIR alerts and incident details in the ServiceNow application.

Login

Once you have launched the URL, you will arrive at the below-mentioned home page. Proceed to enter the user’s name, password & click the “Login” button. URL E.g.: https://ven04914.service-now.com/

You need to download the “Authenticator” app on your mobile device & configure it with your email ID. Once you open the app, it will generate a six-digit code, and you should enter & click the Login button. Check the box "Do not challenge for MFA on this browser for the next 8 hours".

This will take you to the home page.

Studio

Studio is a developer page where all the coding, configurations are done. Users need to type “Studio” in the search box, which is located on the top left of the page. The search results will be displayed.

Click on “Studio” which is displayed in the search result, and it will take you to another page.

Click on “DeCYFIR” and you will arrive at the page below.

On the left side of the page under “System Properties,” you can see all the important properties like “After” parameter, “Categories”, “Key”, “Logging Level”, “retry”.

After Parameter

Studio

This will capture the time of "Last Job" schedule in Unix format. Whenever the net job runs, it will consider the Last captured time & from that time onwards the system will start to fetch the data. This time will be captured for all the Categories.

Categories

Studio

We have a total of 8 categories (i.e., Data_Leak, Certificates, Attack_Surface, phishing, IP_With_Vulnerability, Brand_Infringement, impersonation, vulnerability), users will have the option to select / deselect the categories they want. For example, if the admin/end user only wants “vulnerability” alerts, he/she can just select that category, update the property & the system will only fetch that alert.

Studio

Key

Studio

This is the password where it will be used to establish the connectivity between CYFIRMA & SNOW.

Logging Level

Studio

Users have the option to configure the type of log which they would like to analyze.

Retry

Studio

This refers to the number of times the system is allowed to retry to perform an activity. By default, it is configured as 3 times.

Scheduler

Studio

Users can set the time/interval the job has to run to fetch the alerts from the CYFIRMA system & this is an automated process. The user can select the “Execute Now” button to trigger the job in an instant or on-demand. Users can configure it to run “Daily”, “Weekly” or “Monthly”.

Deleting the Alerts

Studio

If the user wants to delete all the alerts displayed in the system, he/she can run the “delete all alerts” script.

Deleting the Logs

Studio

If the user wants to delete all the logs in the system, he/she can run the “delete all alerts” script.

Alerts

Users can see all the alerts received from the CYFIRMA system on the “Alerts” page. Each alert will have the unique “Alert”, “Incident” & UID. For each new alert, a new incident will be automatically created.

Navigating to Alert page

Type “Decyfir alerts” in the search box on the home page, that will show the search results.

Click on “Decyfir alerts” and that will open the “DeCYFIR Alerts” page.

If you click on the “Alert” number, it will open the details page where the user will be able to see the fields and their values. Similarly, for each alert, there will be a unique incident generated.

Logs

All the system activity will be captured in logs.

Navigating to Log page

Type “Decyfir Logs” in the search box in home page, that will show the search result.

Click on “Decyfir Logs” and that will open the “DeCYFIR Logs” page.

If you click on “Category”, it will open the details page where the user will be able to see the "Log Type", "Status Code", "Request URL" and "Response Body".

Incidents

For each alert, a unique Incident ID will be generated.

Accessing the incident

Users are able to see the incidents associated with each alert. By clicking the incident ID, the incident page will be displayed.

That will take the user to the incident page & the user can see details such as "Impact", "Urgency" and "Description".

Under work notes, users are able to see all the alerts fields and their associated values.

Under "Related" links, users are able to see the associated alerts.

Dashboard

Users are able to see all the category alerts, their count, and the "Top 5" events.

Navigating to the dashboard page

By typing “Dashboard” in the search box, users are able to see the search results.

It will take the user to the page below & click on “DeCYFIR Alert”.

Users will be able to see this page where it will show all the categories and their count.

Similarly, by scrolling down, users are able to see the “Top 5” alerts.

Users will have the option to search using different time ranges.