Security Operations Integration Configurations

Release version: Xanadu

Updated August 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Security Operations Integration Configurations

This documentation outlines the various third-party integrations available within ServiceNow Security Operations, highlighting their setup requirements and unique functionalities. While many integrations require minimal configuration, some, like the Qualys Cloud Platform, need additional setup steps and support different types of scans, lookups, and rate limits.

Show full answer Show less

Key Integrations and Their Functions

Carbon Black: Enables investigation and response to security incidents through API queries and endpoint interactions.
Check Point Anti-bot - Email Parser: Creates security incidents by parsing email notifications.
Elasticsearch Incident Enrichment: Enhances security incidents by searching logs for relevant sighting information.
Have I Been Pwned?: Provides quick searches of breached accounts via RESTful service.
HPE Security ArcSight ESM - Email Parser: Generates security incidents from email notifications.
HPE ArcSight Logger - Incident Enrichment: Adds sighting data to incidents by searching logs.
IBM QRadar - Incident Enrichment: Enriches incidents with log search results.
McAfee ESM - Email Parser & Incident Enrichment: Supports incident creation from emails and enrichment through log searches.
OPSWAT Metadefender: Downloads threat data from Metadefender scanner into Threat Intelligence for management.
Palo Alto Networks AutoFocus: Searches session information related to incident observables.
Palo Alto Networks Firewall: Manages firewall settings to block threats across networks, cloud, and endpoints.
Palo Alto Networks WildFire: Queries and retrieves analysis results via XML API.
Qualys Vulnerability Integration: Used within Vulnerability Response for vulnerability management.
Splunk - Incident Enrichment: Adds relevant sightings to incidents by searching logs.
VirusTotal: Supports threat intelligence lookups; requires activation of the VirusTotal Integration plugin.
WhoisXML API: Provides structured Whois lookup data, ensuring 24/7 access to accurate Whois information.

Configuring and Managing Integrations

ServiceNow customers can activate and configure these third-party integrations via plugins accessible from a centralized management screen. Additionally, partners can create custom integrations and add corresponding integration cards to the Security Integrations interface.

Additional Resources

For further guidance, ServiceNow provides documentation on integration types, best practices for writing integrations, and troubleshooting common integration issues.

Many of the integrations included in the base system require little or no setup, and operate in the same way. Certain integrations, such as the Qualys Cloud Platform, however, require separate steps for setting up the integration. Others support different sets of scan and lookup types and different rate limits.

This section describes the differences between the supported integrations and points you to more documentation, as needed.

Carbon Black integration: allows you to investigate and respond to security incidents by using the Carbon Black APIs to query and interact with endpoints associated with security incidents.
Check Point Anti-bot - Email Parser integration: uses an email parser that consumes email notifications from Check Point Anti-bot to create security incidents.
Elasticsearch Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
Have I been pwned? integration: allows the list of breached accounts (email addresses and usernames) to be quickly searched via a RESTful service.
HPE Security ArcSight ESM - Email Parser integration: uses an email parser that consumes email notifications from HPE ArcSight ESM to create security incidents.
HPE ArcSight Logger - Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
IBM QRadar - Incident Enrichment Integration: searches your logs and adds relevant sighting information to your security incidents.
McAfee ESM - Email Parser integration: uses an email parser that consumes email notifications from McAfee ESM to create security incidents.
McAfee ESM - Incident Enrichment Integration: searches your logs and adds relevant sighting information to your security incidents.
OPSWAT Metadefender integration overview: allows threat data, detected by the third-party Metadefender scanner, to be downloaded to the Threat Intelligence application for tracking, prioritization, and resolution.
Palo Alto Networks - AutoFocus integration: Palo Alto Networks AutoFocus, a threat intelligence cloud service, allows you to search for session information related to security incident observables.
Palo Alto Networks - Firewall integration: Palo Alto Networks Firewall allows you to set up and maintain firewalls for preventing known and unknown threats across the network, cloud, and endpoints.
Palo Alto Networks - WildFire integration: Wildfire integration allows you to programmatically query analysis jobs on Wildfire and retrieve historical results through a simple XML API interface.
Understanding the Qualys Vulnerability Integration: Qualys Cloud Platform is used in Vulnerability Response.
Splunk - Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
VirusTotal integration: used in Threat Intelligence. To use this lookup source, you must activate the VirusTotal Integration plugin.
WhoisXML API integration setup: provides consistent, well-structured data from a Whois lookup. Keeps accurate Whois data accessible 24/7.