Security Operations common functionality

Whenever any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated. This plugin loads various modules that provide functionality that is common across all Security Operations applications.

Note: Only users with the [sn_sec_cmn.admin] can view and use the Security Operations module. This role is inherited when you are assigned an administrative role in any of the Security Operations applications.

Security Operations Modules

Feature Description
Security Operations integrations Several integrations are included with the Security Operations applications (Security Incident Response, Threat Intelligence, and Vulnerability Response). This section provides instructions for activating the plugins and configuring both ServiceNow and third-party integrations. Also included are some basic guidelines for developing your own integrations, as well as details on specific integrations included in the base system.
Security Operations email processing You can set up the integration of information from external detection systems, provide granularity in processing security operations records, handle unmatched emails, and prevent duplication of records using Email Processing.
Filter Groups
Create and use filter groups to locate records from any table on your instance. For example, you can create a group of all computers by the same manufacturer. You can also filter configuration items (CIs) that have similar vulnerabilities or that fall within a particular subnet IP address range.
You can create an escalation path for security incidents for issues requiring more attention or expertise. Once an escalation group exists, a button appears on any security incident in that group.
Security Tags
Security tag rules provide filtering for security tag access.
View Security Workflows
You can view the many workflows included with the Security Operations applications. You can create workflows from templates and in the Workflow Editor.
Workflow Triggers
Security Operations workflow triggers contain a condition on a table. All workflows attached to the workflow trigger record run when the condition is met.
Enrichment Data Mapping
Enrichment Data Mapping transforms data from XML, JSON, or Properties files to ServiceNow records. Security Operations workflows use enrichment data maps and provide output data to security incidents.
Field Value Transforms
Transforms unique customer field values into field values recognized by Security Operations email parsing, data enrichment or tables using field maps. Supports choice fields, references, and aligns external data into the standard terminology and format for your new record.
Field Mapping
Security Operations tables can be mapped to and from other tables, linking a security incident to a customer service case or a problem to other parts of the Security Operations system. For example, you can integrate a plugin to a Security Incident Response task.
On-Demand Orchestration
During Security Incident Response analysis, a security analyst may want to perform a task that is driven by a security incident workflow. For example, run a process dump on a particular CI. This can be accomplished with on-demand orchestration.
Operating Systems Groups
SecOps Application Registry
CI Identifier Rules
CI identifiers are rules used to lookup a configuration item (CI) in the CMDB that contains matching information from a third-party integration. These rules define the fields that contain matching data and the order of precedence by which they are evaluated. The lowest Order value is evaluated first.