Security incident command

The Security Incident command, snsecincident, creates a Security Incident in your ServiceNow instance.

The following example defines the required parameters, as well as some additional data, and shows the result (no error message) after a successful run.

Figure 1. Search & Reporting for an incident
New search for an incident
Parameter Required Use
short_description Yes A short, one line description of the incident.
category No The category of the security incident. If this category does not exist, it is created.
subcategory No The subcategory. If this subcategory does not exist, it is created.
cmdb_ci No The configuration item for the security incident. Ideally, this item maps to an existing CI within ServiceNow.
description No The longer, detailed description of the incident.

There are many possible useful columns – anything in the Security Incident transform map can be used. If new columns are added to the security incident, they too are used, as long as they are in the transform map. Some useful columns: location, priority, assignment_group, assigned_to, affected_user, attack_vector, and watch_list.