Close
Thank you for your feedback.

Security incident command

Security incident command

The Security Incident command, snsecincident, creates a Security Incident in your ServiceNow instance.

The following example defines the required parameters, as well as some additional data, and shows the result (no error message) after a successful run.

Figure 1. Search & Reporting for an incident
New search for an incident
ParameterRequiredUse
short_descriptionYesA short, one line description of the incident.
categoryNoThe category of the security incident. If this category does not exist, it is created.
subcategoryNoThe subcategory. If this subcategory does not exist, it is created.
cmdb_ciNoThe configuration item for the security incident. Ideally, this item maps to an existing CI within ServiceNow.
descriptionNoThe longer, detailed description of the incident.

There are many possible useful columns – anything in the Security Incident transform map can be used. If new columns are added to the security incident, they too are used, as long as they are in the transform map. Some useful columns: location, priority, assignment_group, assigned_to, affected_user, attack_vector, and watch_list.

Products > Security Operations > ServiceNow Security Operations add-on for Splunk; Versions > Istanbul