Security incidents created from events and alerts

When the Event Management application is activated, internal and external alert monitoring tools, such as Splunk, can be used to send security events to the security incident response system. The events are first processed by Event Management, then they are grouped into alerts, and then used to create security incidents based on predefined alert rules.

In the Alert Rules module of the Event Management application, the Create security incidents from critical alerts alert rule triggers the automatic creation of security incidents when critical security-related events are received from within ServiceNow or from third-party monitoring applications. After the security incident has been created, it will be updated as new events are received. The task template for this alert rule can be modified to change the conditions that must be met to create security incidents.

Alternatively, if you are a user with the Security Admin role, you can manually create a security incident by clicking the Create Security Incident button on the Event Management Alerts form.

It is important that the events received from the external tool include the following information:
  • The node set to the name of the affected CI.
  • The event classification must be set to Security to distinguish them from other IT events.
  • The event description, which populates the description of the security incident.
  • The additional information in the event must include a string that identifies field names along with their expected values, using the following JSON format:

    { "fieldName" : "fieldValue", "fieldName" : "fieldValue" }

Note: If a field with a value is identified in the event string, and the associated field in the security incident is empty, the value will populate that field. If the field in the security incident is not empty, the current value in that field will be used (that is, it is not overwritten with the value in the event). In either case, the event and all the fields and values encoded in the additional information are recorded in a work notes entry describing the event. If nothing is changing in the security incident, a work note entry is not created.