Security Operations Integration Configurations

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Security Operations Integration Configurations

ServiceNow Security Operations includes various integrations that connect with third-party security tools to enhance incident investigation, enrichment, and response. While many integrations work with minimal setup, some, like Qualys Cloud Platform, require additional configuration steps. These integrations support different types of scans, lookups, and API rate limits, enabling you to enrich security incidents with relevant external data.

Show full answer Show less

Supported Integrations and Their Functions

Carbon Black: Enables querying and interacting with endpoints via Carbon Black APIs to investigate and respond to incidents.
Check Point Anti-bot - Email Parser: Consumes email alerts to create security incidents automatically.
Elasticsearch Incident Enrichment: Searches logs to add sighting information to security incidents.
Have I been pwned?: Provides quick lookups of breached accounts using a RESTful service.
HPE Security ArcSight ESM - Email Parser: Parses email notifications to create incidents.
HPE ArcSight Logger - Incident Enrichment: Adds relevant log-based sighting information to incidents.
IBM QRadar - Incident Enrichment: Enriches incidents with log search results.
McAfee ESM - Email Parser & Incident Enrichment: Parses emails and enriches incidents from logs.
OPSWAT Metadefender: Downloads third-party threat data to Threat Intelligence for tracking and prioritization.
Palo Alto Networks:
- AutoFocus: Searches for session data related to incident observables.
- Firewall: Manages firewalls to prevent threats across networks, cloud, and endpoints.
- WildFire: Queries and retrieves malware analysis results programmatically.
Qualys Vulnerability Integration: Used in Vulnerability Response for scanning and tracking vulnerabilities.
Splunk - Incident Enrichment: Adds log-based sighting information to incidents.
VirusTotal: Used in Threat Intelligence; requires activation of the VirusTotal Integration plugin.
WhoisXML API: Provides continuous access to structured Whois lookup data.

Activation and Configuration

All third-party integrations can be activated via plugins and configured from a centralized interface within Security Operations. Partners developing new integrations can create and add integration cards to the Security Integrations screen for easy management.

Practical Benefits

Enhances security incident investigation and response by integrating external threat intelligence and log data.
Automates incident creation from email alerts and threat data feeds.
Supports a wide range of popular security tools to provide comprehensive visibility and enrichment.
Enables customization and extension of integrations to fit specific organizational needs.

Many of the integrations included in the base system require little or no setup, and operate in the same way. Certain integrations, such as the Qualys Cloud Platform, however, require separate steps for setting up the integration. Others support different sets of scan and lookup types and different rate limits.

This section describes the differences between the supported integrations and points you to more documentation, as needed.

Carbon Black integration: allows you to investigate and respond to security incidents by using the Carbon Black APIs to query and interact with endpoints associated with security incidents.
Check Point Anti-bot - Email Parser integration: uses an email parser that consumes email notifications from Check Point Anti-bot to create security incidents.
Elasticsearch Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
Have I been pwned? integration: allows the list of breached accounts (email addresses and usernames) to be quickly searched via a RESTful service.
HPE Security ArcSight ESM - Email Parser integration: uses an email parser that consumes email notifications from HPE ArcSight ESM to create security incidents.
HPE ArcSight Logger - Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
IBM QRadar - Incident Enrichment Integration: searches your logs and adds relevant sighting information to your security incidents.
McAfee ESM - Email Parser integration: uses an email parser that consumes email notifications from McAfee ESM to create security incidents.
McAfee ESM - Incident Enrichment Integration: searches your logs and adds relevant sighting information to your security incidents.
OPSWAT Metadefender integration overview: allows threat data, detected by the third-party Metadefender scanner, to be downloaded to the Threat Intelligence application for tracking, prioritization, and resolution.
Palo Alto Networks - AutoFocus integration: Palo Alto Networks AutoFocus, a threat intelligence cloud service, allows you to search for session information related to security incident observables.
Palo Alto Networks - Firewall integration: Palo Alto Networks Firewall allows you to set up and maintain firewalls for preventing known and unknown threats across the network, cloud, and endpoints.
Palo Alto Networks - WildFire integration: Wildfire integration allows you to programmatically query analysis jobs on Wildfire and retrieve historical results through a simple XML API interface.
Understanding the Qualys Vulnerability Integration: Qualys Cloud Platform is used in Vulnerability Response.
Splunk - Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
VirusTotal integration: used in Threat Intelligence. To use this lookup source, you must activate the VirusTotal Integration plugin.
WhoisXML API integration setup: provides consistent, well-structured data from a Whois lookup. Keeps accurate Whois data accessible 24/7.