Types of ServiceNow integrations provided

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Types of ServiceNow integrations provided

    The Security Operations applications within ServiceNow—Security Incident Response, Threat Intelligence, and Vulnerability Response—offer multiple integrations to enhance security workflows by connecting with other ServiceNow applications and external systems. These integrations enable automated data exchange, event processing, and vulnerability management, helping customers streamline incident response and threat intelligence processes.

    Show full answer Show less

    Key Features

    • Security Incident Response – Event Management Integration:
      • Automatically parses events from Event Management to populate security incidents.
      • Supports event correlation and alert rules for security events originating from SIEM tools.
      • Enables creation of security events within Event Management for improved incident handling.
    • Security Incident Response – Import Set API Integration:
      • Provides a REST API endpoint for direct creation of security incidents without Event Management.
      • Useful when Event Management is not installed or a simpler incident creation flow is preferred.
      • Supports automatic configuration item (CI) matching based on IP, NetBIOS, or domain name.
    • Threat Intelligence – Lookup Source Integration:
      • Enables querying external lookup services for IPs, URLs, files, or hashes to detect malicious data.
      • Offers rate limiting, throttling, and automatic creation of Indicators of Compromise (IoCs) with minimal coding.
      • Provides a consistent interface for lookup requests from catalog items and security incidents.
    • Threat Intelligence – Threat Source Integration:
      • Allows importing threat data from external repositories into IoC tables.
      • Supports TAXII collections and simple blocklists without coding, with options for custom integrations.
      • Handles multiple paginated data requests and decouples data retrieval from processing for reuse.
    • Vulnerability Response – Scanner Invocation Integration:
      • Facilitates asynchronous calls to third-party vulnerability scanners to schedule scans on CIs or IP addresses.
      • Provides a simple framework for defining scanners and consistent scan request workflows.
      • Automatically updates tasks with scan invocation results.
    • Vulnerability Response – Data Integration:
      • Retrieves vulnerability data and CI pairings from third-party vulnerability systems.
      • Supports synchronization of vulnerabilities and CIs for tracking and remediation within ServiceNow.
      • Uses decoupled data retrieval and supports paginated data requests with context passing.

    What Customers Can Expect

    • Streamlined security incident creation and enrichment through integration with Event Management and direct API access.
    • Enhanced threat intelligence capabilities by connecting to external lookup and threat data repositories, enabling automated detection and indicator creation.
    • Improved vulnerability management by invoking scans and importing vulnerability data from third-party scanners, allowing comprehensive tracking and remediation within ServiceNow.
    • Flexible integration options with minimal coding for common use cases, with resources and documentation available for implementation and troubleshooting.

    The Security Operations applications (Security Incident Response, Threat Intelligence, and Vulnerability Response) can be seamlessly integrated with other ServiceNow applications to enhance their functionality.

    The following integrations are provided in the Security Operations base system.

    Security Incident Response – Event Management integration

    The capabilities of the Event Management application have been expanded to support Security Incident Response. The Security Incident Response Event Management support plugin automatically parses the contents of events in Event Management to populate fields in security incidents.

    Use case covered:

    Creation of security events in the Event Management system from Security Information and Event Management (SIEM) tools

    Useful capabilities provided:
    • Event management functionality – event correlation, event rules, and alert rules
    • Automatic mapping of additional_information values to resulting security incident

    Resources:

    Security Incident event management support documentation

    Event Management documentation

    Security Incident Response - Import Set API integration

    In addition to using Event Management to push security-related events, the Security Incident Response application provides an Import Set API that allows direct creation of security incidents. The REST endpoint for the Security Incident Import Set is http://localhost:8080/api/now/import/sn_si_incident_import.

    This integration technique is useful when a) Event Management is not installed, or b) it is desired to simply create Security Incidents without going through the event > alert > Security Incident flow that is required when using Event Management.

    Use case covered:

    Creation of security incidents directly from SIEM tools.

    Useful capabilities provided:

    Automatic CI matching on Security Incident creation based on IP, NetBIOS, or fully qualified domain name.

    Resources:

    Platform Import Set API documentation

    Security Incident Web Service Import Set documentation

    Threat Intelligence - lookup source integration

    Lookup sources provide the ability to send data to external lookup sources to determine if that data is malicious. Generally, that data is an IP address, URL, file, or file hash.

    Use case covered:

    Lookup an IP address, URL, file, or hash with an external lookup service.

    Useful capabilities provided:

    • Consistent way to request lookups from catalog items and security incidents.
    • Rate limiting and throttling capabilities provided with little/no coding.
    • Automatic creation of Indicators of Compromise (IoC) observable entries for any issues found by lookup sources.

    Threat Intelligence - threat source integration

    Threat Sources provide the ability to pull in data from external threat intelligence repositories. This data is then imported into the various Indicators of Compromise tables that exist within the system. TAXII collections and simple blocklists are supported natively. To add new TAXII collections (or profiles based on a discovery or collection management service), it is as simple as adding an entry. Similarly, adding a new simple, single column blocklist is a matter of entering a new record and providing the URL of the blocklist. For more complicated sets of data, a custom integration can be provided to make a call to a URL and parse the response.

    Use case covered:

    Retrieve data from a threat intelligence source to load into IoC tables.

    Useful capabilities provided:

    • Support for simple blocklists and TAXII collections with no coding.
    • Simple mechanism for executing REST messages for retrieving data.
    • Decoupled data retrieval/processing for integration component reusability.
    • Native support for processing passing data returned to data sources (and import sets/transform maps).
    • Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls

    Resources:

    Define a threat source

    Vulnerability Response - scanner invocation integration

    Vulnerability Scanner Invocation is a lightweight integration entry point that supports invoking vulnerability scans from the instance. A third-party vulnerability scanner is called asynchronously to schedule a scan for configuration items or IP addresses.

    Use case covered:

    Make request to third-party scanner to scan a CI (using host information derived from CI) or IP address/IP addresses.

    Useful capabilities provided:

    • Simple framework for defining scanner implementations.
    • Consistent way to request scans from catalog items, security incidents, and vulnerable items.
    • Automatic updating of tasks with result of scan invocation.

    Vulnerability Response - data integration

    Vulnerability data integrations are intended to retrieve vulnerability data from third-party vulnerability systems. The expected outputs from these integrations are vulnerability entries and vulnerable items. This integration allows third-party vulnerability scanners to function independently, with the expectation that vulnerabilities can be worked and tracked within the instance.

    Use cases covered:

    • Retrieve vulnerability libraries
    • Retrieve vulnerability/CI pairings
    • Synchronize CIs with vulnerability management system
    Useful capabilities provided:
    • Decoupled data retrieval/processing for integration component reusability.
    • Native support for processing passing data returned to data sources (and import sets/transform maps).
    • Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls.

    Resources:

    Vulnerability data integration documentation