Types of ServiceNow integrations provided

The Security Operations applications (Security Incident Response, Threat Intelligence, and Vulnerability Response) can be seamlessly integrated with other ServiceNow applications to enhance their functionality.

The following integrations are provided in the Security Operations base system.

Security Incident Response – Event Management integration

The capabilities of the Event Management application have been expanded to support Security Incident Response. The Security Incident Response Event Management support plugin automatically parses the contents of events in Event Management to populate fields in security incidents.

Use case covered:

  • Creation of security events in the Event Management system from Security Information and Event Management (SIEM) tools

Useful capabilities provided:

  • Event management functionality – event correlation, event rules, and alert rules
  • Automatic mapping of additional_information values to resulting security incident

Resources:

Security Incident event management support documentation

Event Management documentation

Security Incident Response - Import Set API integration

In addition to using Event Management to push security-related events, the Security Incident Response application provides an Import Set API that allows direct creation of security incidents. The REST endpoint for the Security Incident Import Set is http://localhost:8080/api/now/import/sn_si_incident_import.

This integration technique is useful when a) Event Management is not installed, or b) it is desired to simply create Security Incidents without going through the event > alert > Security Incident flow that is required when using Event Management.

Use case covered:

  • Creation of security incidents directly from SIEM tools

Useful capabilities provided:

  • Automatic CI matching on Security Incident creation based on IP, NetBIOS, or fully qualified domain name

Resources:

Platform Import Set API documentation

Security Incident Web Service Import Set documentation

Threat Intelligence - lookup source integration

Lookup sources provide the ability to send data to external lookup sources to determine if that data is malicious. Generally, that data is an IP address, URL, file, or file hash.

Use case covered:

  • Lookup an IP address, URL, file, or hash with an external lookup service

Useful capabilities provided:

  • Consistent way to request lookups from catalog items and security incidents
  • Rate limiting and throttling capabilities provided with little/no coding
  • Automatic creation of Indicators of Compromise (IoC) observable entries for any issues found by lookup sources

Resources:

Lookup Source documentation

Threat Intelligence - threat source integration

Threat Sources provide the ability to pull in data from external threat intelligence repositories. This data is then imported into the various Indicators of Compromise tables that exist within the system. TAXII collections and simple blocklists are supported natively. To add new TAXII collections (or profiles based on a discovery or collection management service), it is as simple as adding an entry. Similarly, adding a new simple, single column blocklist is a matter of entering a new record and providing the URL of the blocklist. For more complicated sets of data, a custom integration can be provided to make a call to a URL and parse the response.

Use case covered:

  • Retrieve data from a threat intelligence source to load into IoC tables

Useful capabilities provided:

  • Support for simple blocklists and TAXII collections with no coding
  • Simple mechanism for executing REST messages for retrieving data
  • Decoupled data retrieval/processing for integration component reusability
  • Native support for processing passing data returned to data sources (and import sets/transform maps)
  • Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls

Resources:

Define a threat source

Vulnerability Response - scanner invocation integration

Vulnerability Scanner Invocation is a lightweight integration entry point that supports invoking vulnerability scans from the instance. A third-party vulnerability scanner is called asynchronously to schedule a scan for configuration items or IP addresses.

Use case covered:

  • Make request to third-party scanner to scan a CI (using host information derived from CI) or IP address/IP addresses

Useful capabilities provided:

  • Simple framework for defining scanner implementations
  • Consistent way to request scans from catalog items, security incidents, and vulnerable items
  • Automatic updating of tasks with result of scan invocation

Resources:

Third-party vulnerability scanner documentation

Vulnerability Response - data integration

Vulnerability data integrations are intended to retrieve vulnerability data from third-party vulnerability systems. The expected outputs from these integrations are vulnerability entries and vulnerable items. This integration allows third-party vulnerability scanners to function independently, with the expectation that vulnerabilities can be worked and tracked within the instance.

Use cases covered:

  • Retrieve vulnerability libraries
  • Retrieve vulnerability/CI pairings
  • Synchronize CIs with vulnerability management system

Useful capabilities provided:

  • Decoupled data retrieval/processing for integration component reusability
  • Native support for processing passing data returned to data sources (and import sets/transform maps)
  • Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls

Resources:

Vulnerability data integration documentation