Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home London Security Incident Management Security Operations Security Incident Response Security Incident Response integrations

    Security Incident Response integrations

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Security Incident Response integrations

    The Security Incident Response base system includes integrations to third-party malware-detection software packages. This section provides instructions for activating the plugins and configuring both ServiceNow and third-party integrations. The instructions you'll use depend on the version of London you are running.

    Integration configurations

    The base system includes a series of "cards" for each of the integration implementations you can activate and use. Also, cards are displayed for any integrations posted on the ServiceNow Store that have dependencies on Security Operations plugins. The integration cards can be viewed by selecting Security Operations > Integration Configurations.
    Security Integrations
    You can filter the visible integrations using the Category drop-down menu. The Show Configurations drop-down menu lets you see multiple instances of implementations that allow their creation.

    Buttons on integration cards

    Integration cards display different buttons depending on the current state of the integration and the source of the card.
    Button Description
    Install Plugin Click this button to install the applicable plugin to activate the integration. After the plugin is installed, the button changes to Configure.
    Configure Click this button to enter information for configuring the integration. For some integrations, you may need to enter API keys or URLs acquired from the website of the third-party integration.
    New Certain integrations, such as Carbon Black and IBM QRadar, allow you to define multiple implementations of the same integration. For those integrations, click New after the plugin is activated. The cards allow you to install plugins (where applicable) and configure the implementations for use.
    Open Page In the base system, your instance performs a query to the ServiceNow Store for any applications that have dependencies on Security Operations plugins. When those applications are found, and the associated application plugins are activated, integration cards for them are displayed with the other security integration cards. Click Open Page to access the website of the third-party application to configure the integration. After you have completed the configuration, the Open Page button changes to Configure.
    • Carbon Black - Incident Enrichment integration

      Use the Carbon Black integration to investigate and respond to security incidents using APIs to query and interact with endpoints associated with security incidents.

    • Carbon Black integration

      The Carbon Black integration enables you to investigate and respond to security incidents using APIs to query and interact with endpoints associated with security incidents.

    • Check Point Next Generation Threat Prevention integration

      This document describes the steps required to integrate Check Point Next Generation Threat Prevention (NGTP) capabilities with ServiceNow® Security Incident Response (SIR) so that applications function properly together.

    • Check Point Anti-bot - Email Parser integration

      Check Point Anti-bot - Email Parser integration is supported using an email parser that consumes email notifications from Check Point Anti-bot to create security incidents and drive enrichment and response workflows.

    • CrowdStrike Falcon Host integration

      The CrowdStrike Falcon Host integration allows you to push observables in a security incident into a watchlist, making them able to generate additional alerts. This integration is an implementation of the CrowdStrike Falcon Host - Publish to Watchlist workflow.

    • Elasticsearch Incident Enrichment integration

      The Elasticsearch - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

    • HPE Security ArcSight ESM - Email Parser integration

      The HPE Security ArcSight ESM - Email Parser integration is supported using an email parser that consumes email notifications from ESM to create security incidents.

    • HPE ArcSight Logger - Incident Enrichment integration

      The HPE ArcSight Logger - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

    • Hybrid Analysis integration

      The Hybrid Analysis application is part of an open online community in which users analyze files and URLs for threats. You share results and utilize research from the community for more effective incident responses. When integrated with the Now Platform Security Operations product, the shared threat intelligence provides you with additional insight into the severity of specific observables.

    • IBM QRadar - Incident Enrichment Integration

      The IBM QRadar - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

    • LogRhythm integration

      The LogRhythm Enterprise integration with the Now Platform® Security Incident Response (SIR) product allows Security Operations Center (SOC) analysts to generate Security Incident Response (SIR) incidents automatically when certain configured LogRhythm alarms are triggered.

    • McAfee ePO integration

      When the McAfee ePO capabilities are integrated with the Security Incident Response (SIR) product of your Now Platform® instance, security operations center (SOC) analysts are provided with an endpoint detection and response (EDR) capability that helps them identify cyber threats and repair the damage caused by malicious files.

    • McAfee ESM - Email Parser integration

      The ESM - Email Parser integration is supported by an email parser that consumes email notifications from ESM to create security incidents.

    • McAfee ESM - Incident Enrichment Integration

      McAfee ESM - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

    • Microsoft Exchange Online integration

      For the Microsoft Exchange Online integration application by ServiceNow, the Now Platform® Security Incident Response (SIR) product is integrated with the Microsoft Exchange Online service, one of the cloud-based services in the Microsoft Office 365 suite of products. Your Security Operation Center (SOC) analyst can search your corporate email environment for security-related threats and remove and remediate phishing emails with email search and delete capabilities.

    • Microsoft Exchange On-Premises integration

      The Microsoft Exchange On-Premises integration provides tools for security analysts to contain and eradicate phishing and spear phishing email threats in on-premises instances.

    • Palo Alto Networks - AutoFocus integration

      The Palo Alto Networks - AutoFocus integration base system includes a workflow and a series of workflow activities you can use to integrate Palo Alto Networks - AutoFocus with your instance.

    • Palo Alto Networks - Firewall integration

      To perform Palo Alto Networks - Firewall integration, ensure that you have a MID Server set up with SSH credentials. If a firewall is not already set up, add one.

    • Palo Alto Networks - WildFire integration

      Palo Alto Networks - WildFire is a cloud-based application that interacts with your system firewall.

    • Palo Alto Networks next-generation firewall integration

      Once installed and configured, the security incident analyst uses this integration to block malicious IP addresses, URLs, and domains using External Dynamic List (EDL) capabilities with the ServiceNow Security Incident Response (SIR) products. The security incident analyst creates entries for an EDL from observables determined to be malicious on ServiceNow SIR security incidents.

    • PhishTank integration

      PhishTank is a community-based phishing verification system into which users submit suspected threats, and other users in the system vote to determine whether the phishing threats are legitimate. When integrated with the Now Platform Security Operations product, the threat intelligence results provide analysts with additional insight into phishing-related security incidents or investigations.

    • Reverse Whois integration

      Reverse Whois is a service that performs searches on domain names registered by individuals or organizations.

    • RISKIQ and WHOISIQ integration

      With the integration of RISKIQ and WHOISIQ APIs with the Now Platform® Security Operations product, security analysts are provided with additional enrichment data and insight into the validity of websites.

    • Security Operations Have I been pwned? integration

      The Security Operations Have I been pwned? integration enables you to submit lookups on domain names and email addresses to determine whether user personal data has been compromised by data breaches.

    • Shodan integration

      Shodan is a search engine that analyzes service banner information from connected devices all around the globe. Service banners include information about a computer system, such as host name, device type, operating system, geographic location, and connected ISP. When integrated with the Now Platform Security Operations product, this service banner information provides analysts with additional enrichment data and insight for security incidents or investigations.

    • Get started with the ServiceNow Security Operations add-on for Splunk

      The ServiceNow Security Operations add-on for Splunk allows a Splunk software administrator to collect data from ServiceNow and create incidents and events in ServiceNow. It is installed from Splunkbase.

    • Splunk Enterprise Event Ingestion integration for Security Operations by ServiceNow

      The Splunk Enterprise event and alert data integration with the Security Incident Response (SIR) product allows security incident analysts to collect and process security logs and related event data. Data is collected in real-time, and it is used by analysts to identify and report on potential cyber threats. The security events that are collected can be processed into triggered alerts that are ingested automatically with this integration. Also, individual security events can be manually forwarded on-demand from the Splunk Enterprise search and reporting interface into the Security Incident Response product of the Now Platform to create security incidents.

    • Splunk - Incident Enrichment integration

      The Splunk - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

    • Tanium Endpoint Platform integration

      The Tanium Endpoint Platform uses a workflow and workflow activities to return running processes for affected CIs.

    • Tanium Integration V2

      When the Tanium Integration V2 Endpoint Security product is integrated with the Now Platform Security Incident Response (SIR) product, security operation center (SOC) analysts are provided with an Endpoint Detection and Response (EDR) strategy for identifying cyber threats and protecting their company's endpoints (assets) from compromise. Analysts use the configuration item (CI) enrichment results from queries to conduct searches across their networks to help them determine if their assets have been compromised. They quarantine assets with the host isolation capability for further investigation and remediation.

    • Threat Crowd integration

      Threat Crowd is powered by AlienVault and is part of an open Threat Intelligence community which permits global collaboration and sharing of cyber threats. Users share IP addresses or websites from which attacks have originated, or, look up specific threats to see if anyone in the intelligence community has provided information about them and determined them to be malicious. When integrated with the ServiceNow® Security Operations product, the community threat intelligence results provide analysts with additional insight for security incidents or investigations.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Security Incident Response integrations

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Security Incident Response integrations

      The Security Incident Response base system includes integrations to third-party malware-detection software packages. This section provides instructions for activating the plugins and configuring both ServiceNow and third-party integrations. The instructions you'll use depend on the version of London you are running.

      Integration configurations

      The base system includes a series of "cards" for each of the integration implementations you can activate and use. Also, cards are displayed for any integrations posted on the ServiceNow Store that have dependencies on Security Operations plugins. The integration cards can be viewed by selecting Security Operations > Integration Configurations.
      Security Integrations
      You can filter the visible integrations using the Category drop-down menu. The Show Configurations drop-down menu lets you see multiple instances of implementations that allow their creation.

      Buttons on integration cards

      Integration cards display different buttons depending on the current state of the integration and the source of the card.
      Button Description
      Install Plugin Click this button to install the applicable plugin to activate the integration. After the plugin is installed, the button changes to Configure.
      Configure Click this button to enter information for configuring the integration. For some integrations, you may need to enter API keys or URLs acquired from the website of the third-party integration.
      New Certain integrations, such as Carbon Black and IBM QRadar, allow you to define multiple implementations of the same integration. For those integrations, click New after the plugin is activated. The cards allow you to install plugins (where applicable) and configure the implementations for use.
      Open Page In the base system, your instance performs a query to the ServiceNow Store for any applications that have dependencies on Security Operations plugins. When those applications are found, and the associated application plugins are activated, integration cards for them are displayed with the other security integration cards. Click Open Page to access the website of the third-party application to configure the integration. After you have completed the configuration, the Open Page button changes to Configure.
      • Carbon Black - Incident Enrichment integration

        Use the Carbon Black integration to investigate and respond to security incidents using APIs to query and interact with endpoints associated with security incidents.

      • Carbon Black integration

        The Carbon Black integration enables you to investigate and respond to security incidents using APIs to query and interact with endpoints associated with security incidents.

      • Check Point Next Generation Threat Prevention integration

        This document describes the steps required to integrate Check Point Next Generation Threat Prevention (NGTP) capabilities with ServiceNow® Security Incident Response (SIR) so that applications function properly together.

      • Check Point Anti-bot - Email Parser integration

        Check Point Anti-bot - Email Parser integration is supported using an email parser that consumes email notifications from Check Point Anti-bot to create security incidents and drive enrichment and response workflows.

      • CrowdStrike Falcon Host integration

        The CrowdStrike Falcon Host integration allows you to push observables in a security incident into a watchlist, making them able to generate additional alerts. This integration is an implementation of the CrowdStrike Falcon Host - Publish to Watchlist workflow.

      • Elasticsearch Incident Enrichment integration

        The Elasticsearch - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

      • HPE Security ArcSight ESM - Email Parser integration

        The HPE Security ArcSight ESM - Email Parser integration is supported using an email parser that consumes email notifications from ESM to create security incidents.

      • HPE ArcSight Logger - Incident Enrichment integration

        The HPE ArcSight Logger - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

      • Hybrid Analysis integration

        The Hybrid Analysis application is part of an open online community in which users analyze files and URLs for threats. You share results and utilize research from the community for more effective incident responses. When integrated with the Now Platform Security Operations product, the shared threat intelligence provides you with additional insight into the severity of specific observables.

      • IBM QRadar - Incident Enrichment Integration

        The IBM QRadar - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

      • LogRhythm integration

        The LogRhythm Enterprise integration with the Now Platform® Security Incident Response (SIR) product allows Security Operations Center (SOC) analysts to generate Security Incident Response (SIR) incidents automatically when certain configured LogRhythm alarms are triggered.

      • McAfee ePO integration

        When the McAfee ePO capabilities are integrated with the Security Incident Response (SIR) product of your Now Platform® instance, security operations center (SOC) analysts are provided with an endpoint detection and response (EDR) capability that helps them identify cyber threats and repair the damage caused by malicious files.

      • McAfee ESM - Email Parser integration

        The ESM - Email Parser integration is supported by an email parser that consumes email notifications from ESM to create security incidents.

      • McAfee ESM - Incident Enrichment Integration

        McAfee ESM - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

      • Microsoft Exchange Online integration

        For the Microsoft Exchange Online integration application by ServiceNow, the Now Platform® Security Incident Response (SIR) product is integrated with the Microsoft Exchange Online service, one of the cloud-based services in the Microsoft Office 365 suite of products. Your Security Operation Center (SOC) analyst can search your corporate email environment for security-related threats and remove and remediate phishing emails with email search and delete capabilities.

      • Microsoft Exchange On-Premises integration

        The Microsoft Exchange On-Premises integration provides tools for security analysts to contain and eradicate phishing and spear phishing email threats in on-premises instances.

      • Palo Alto Networks - AutoFocus integration

        The Palo Alto Networks - AutoFocus integration base system includes a workflow and a series of workflow activities you can use to integrate Palo Alto Networks - AutoFocus with your instance.

      • Palo Alto Networks - Firewall integration

        To perform Palo Alto Networks - Firewall integration, ensure that you have a MID Server set up with SSH credentials. If a firewall is not already set up, add one.

      • Palo Alto Networks - WildFire integration

        Palo Alto Networks - WildFire is a cloud-based application that interacts with your system firewall.

      • Palo Alto Networks next-generation firewall integration

        Once installed and configured, the security incident analyst uses this integration to block malicious IP addresses, URLs, and domains using External Dynamic List (EDL) capabilities with the ServiceNow Security Incident Response (SIR) products. The security incident analyst creates entries for an EDL from observables determined to be malicious on ServiceNow SIR security incidents.

      • PhishTank integration

        PhishTank is a community-based phishing verification system into which users submit suspected threats, and other users in the system vote to determine whether the phishing threats are legitimate. When integrated with the Now Platform Security Operations product, the threat intelligence results provide analysts with additional insight into phishing-related security incidents or investigations.

      • Reverse Whois integration

        Reverse Whois is a service that performs searches on domain names registered by individuals or organizations.

      • RISKIQ and WHOISIQ integration

        With the integration of RISKIQ and WHOISIQ APIs with the Now Platform® Security Operations product, security analysts are provided with additional enrichment data and insight into the validity of websites.

      • Security Operations Have I been pwned? integration

        The Security Operations Have I been pwned? integration enables you to submit lookups on domain names and email addresses to determine whether user personal data has been compromised by data breaches.

      • Shodan integration

        Shodan is a search engine that analyzes service banner information from connected devices all around the globe. Service banners include information about a computer system, such as host name, device type, operating system, geographic location, and connected ISP. When integrated with the Now Platform Security Operations product, this service banner information provides analysts with additional enrichment data and insight for security incidents or investigations.

      • Get started with the ServiceNow Security Operations add-on for Splunk

        The ServiceNow Security Operations add-on for Splunk allows a Splunk software administrator to collect data from ServiceNow and create incidents and events in ServiceNow. It is installed from Splunkbase.

      • Splunk Enterprise Event Ingestion integration for Security Operations by ServiceNow

        The Splunk Enterprise event and alert data integration with the Security Incident Response (SIR) product allows security incident analysts to collect and process security logs and related event data. Data is collected in real-time, and it is used by analysts to identify and report on potential cyber threats. The security events that are collected can be processed into triggered alerts that are ingested automatically with this integration. Also, individual security events can be manually forwarded on-demand from the Splunk Enterprise search and reporting interface into the Security Incident Response product of the Now Platform to create security incidents.

      • Splunk - Incident Enrichment integration

        The Splunk - Incident Enrichment integration searches your logs and adds relevant sighting information to your security incidents.

      • Tanium Endpoint Platform integration

        The Tanium Endpoint Platform uses a workflow and workflow activities to return running processes for affected CIs.

      • Tanium Integration V2

        When the Tanium Integration V2 Endpoint Security product is integrated with the Now Platform Security Incident Response (SIR) product, security operation center (SOC) analysts are provided with an Endpoint Detection and Response (EDR) strategy for identifying cyber threats and protecting their company's endpoints (assets) from compromise. Analysts use the configuration item (CI) enrichment results from queries to conduct searches across their networks to help them determine if their assets have been compromised. They quarantine assets with the host isolation capability for further investigation and remediation.

      • Threat Crowd integration

        Threat Crowd is powered by AlienVault and is part of an open Threat Intelligence community which permits global collaboration and sharing of cyber threats. Users share IP addresses or websites from which attacks have originated, or, look up specific threats to see if anyone in the intelligence community has provided information about them and determined them to be malicious. When integrated with the ServiceNow® Security Operations product, the community threat intelligence results provide analysts with additional insight for security incidents or investigations.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login