This blog post is intended to cover the topic of integrating the customers ServiceNow instance with a SIEM, specifically why integrating with a SIEM will help with streamlining Security Operations and how ServiceNow can be leveraged.

Prereqs/Dependencies:

Enterprise SIEM Subscription

Incident Plug in – IT Service Automation Suite or the Service Management Suite

Considering the number of alerts and amount of data that current security operations teams are dealing with, automating security event workflows is necessary to optimize productivity and performance. When dealing with a security alert, it is comparable to finding a needle in a haystack, with the difference being that the work of the security analyst doesn’t end when the needle is found. Containment, eradication, and recovery steps will still need to be taken to prevent future occurrence.

Integrating your SIEM with ServiceNow for Enhanced Security Event Management

This is where integrating ServiceNow with a Security Information and Event Management (SIEM) comes in. The initial time needed to find and identify a security incident is significantly shaved down.

SIEMs are designed to synthesize all the machine data that is generated in your environment. By aggregating and correlating all the machine generated data, SIEMs help security operations teams search, analyze, visualize, and leverage data to determine the best course of action during an incident.

The integration allows granular configurations that enable the organization to automate workflows between the two platforms. By leveraging the SIEM and the Incident Plugin found in the IT Service Automation Suite or the Service Management Suite, you will be able to build and operationalize a streamlined method to responding to security incidents.

Benefits of leveraging SIEM

This integration will allow you to detect a problem in that particular SIEM and auto-create incidents in ServiceNow. Advantages to leveraging SEIM include:

• Reducing mean time to resolve by correlating ServiceNow data, such as a Threat Portal Hit, with the events captured in the SIEM.
• Define and create events based on pre-qualified alerts.
• Receive and interpret events to ultimately decide upon an appropriate response.
• Respond to events by initiating a workflow.

Internally, ServiceNow leverages this cohesive workflow.

SIEM Example Use Case

Consider this use case: you have a machine that is sending network traffic to a malicious domain. This traffic captured in the SIEM triggers an alert that is opened on SecurityNow. An analyst receives this alert, opens an SIR, and begins the analysis of the event. The SIEM allows the analyst to pull relevant logs and respond and because of the integration, the alert was triggered almost immediately at the time of traffic for a faster response time.

Image is from the Syslog Probe link below.

Some examples of SIEMs include: ArcSight, Splunk, QRadar, McAfee ESM, and NetWitness.

Useful Links:

Syslog Probe