If you miss any content, please leave it as a comment and I will add it to this article.
| Table of Contents |
My library Knowledge Sources To Go is very popular, but it was intended mainly as a thematically grouped guide to standard sources and was provided by me as a PDF file. For certain topics, however, there is so much content that I can no longer include it in that document, as it cannot continue to grow forever.
For this reason, I have decided to handle such topics in individual community articles like this one instead.
What is Security Operations?
Security Operations is a security orchestration, automation, and response (SOAR) engine built on the Now Platform. Designed to help security and IT teams respond faster and more efficiently to incidents and vulnerabilities, Security Operations uses intelligent workflows, automation, and a deep connection with Security Operations and IT to streamline response. In addition, the solution leverages the ServiceNow® Configuration Management Database (CMDB) to map security incidents to business services and IT infrastructure. This mapping enables prioritization of incident queues and vulnerabilities based on business impact, ensuring your security and IT teams are focused on what is most critical to your business.
Entry point to the official product information pages.
Entry point to the official product documentation.
Summarized overview in one PDF file.
More detailed information
An overview of implementing, maintaining, and getting maximum value from Customer Service Management.
Recommended Implementation Sequence
Specific guidance for Security Operations (SecOps) outlining which products to implement through the Foundational, Crawl, Walk, Run, and Fly phases to ensure Customer Success.
This success packs gives customers the opportunity to get ServiceNow product SMEs to assess current implementation and document prescriptive guidance on maximizing value.
Trainings & Courses
Security Operations (SecOps) Fundamentals
This course covers the foundational topics of the ServiceNow Security Operations suite, including Security Incident Response, Vulnerability Response, and Threat Intelligence applications. The Security Operations Suite provides the tools needed to manage the identification of threats and vulnerabilities within your organization, as well as specific tools to assist in the management of Security Incidents.
Articles & Blog Posts
2023-11-14 by @lanemclaughlin
What’s New in Security Operations November 2023 Release
In ServiceNow’s last Store Release of 2023, there are three noteworthy innovations added to the Security Operations offering: Vulnerability Crisis Management, Compensating Controls for Vulnerability Response, and many new Now-on-Now flow-based playbooks.
Videos & Podcasts
2023-01-18 by ServiceNow Community
Transform Enterprise Security with ServiceNow Security Operations
What does it mean to “transform enterprise security?” It can mean a lot of things to many different people. In this video, we will explore how organizations are using ServiceNow Security Operations to change how they more effectively manage and respond to security events across the enterprise.
2023-01-19 by ServiceNow Community
The more you know - SecOps and CMDB Interactions
Primary focus: Interactions between SecOps (VR/CC) and NOW CMDB:
- Review the overall host lookup process in the current generation of the SecOps applications for VR and CC
- Clarifying common misconceptions we hear in the field
- Review how CMDB IRE and SecOps CI Lookup Rules play together
- Step-by-step walk through of common interactions with SecOps and CMDB (lookup, insert)
2023-03-13 by ServiceNow Community
What's New in Security Operations in the Utah Release
In this video, we will look at an exciting new feature designed especially with Tier 1 and 2 Security Analysts in mind, the Security Incident Response Workspace. We will also take a look at updates to the Vulnerability Manager Workspace, which now offers a more holistic look at your organization's attack surface.
2023-06-26 by ServiceNow Community
Mitigating Crisis Events with ServiceNow
In this video, we will explore how ServiceNow helps organizations mitigate major security events using solutions from the Security Operations, Risk, Operational Resilience, and Business Continuity Management portfolios.
2023-07-07 by ServiceNow Community
ServiceNow DLP Incident Response Demonstration
DLP Incident Response, part of ServiceNow Security Operations, gives us the power to integrate with Data Loss Prevention (DLP) products to import incidents from multiple sources, including endpoint, network, email, and cloud into a single platform. Then, using a remediation workflow, we can automatically assign incidents to end users, managers, and DLP analyst team with automated incident assignment and escalation, all using intuitive, easy-to-use workspaces designed specifically to make managing and reporting this work easy.
2024-03-23 by ServiceNow Community
This demo provides a 30,000’ view of the SecOps offerings that ServiceNow provides, including the following: Security Incident Response, Threat Intelligence, Major Security Incident Management, and Vulnerability Response.
2024-12-11 by ServiceNow Community
Get Started With Security Operations Applications
Join our product team to learn about key resources and techniques for the beginning of your implementation journey. The goal of this session is to foster success with your implementation of Security Operations Applications including Security Incident Response, Threat Intelligence, and Vulnerability Response.
2025-04-14 by ServiceNow Community
Get Started With Security Operations Applications
Join our product team to learn about key resources and techniques for the beginning of your implementation journey. The goal of this session is to foster success with your implementation of Security Operations Applications including Security Incident Response, Threat Intelligence, and Vulnerability Response.
2025-09-01 by ServiceNow Community
Get Started with Security Operations Applications
Join our product team to learn about key resources and techniques for your implementation journey. The goal of this session is to foster success with your implementation of Security Operations Applications including Security Incident Response, Threat Intelligence, and Vulnerability Response.
Now Assist
ServiceNow's Now Assist for Security Operations is a cutting-edge solution that leverages generative AI to enhance the efficiency and effectiveness of Security Operations Centers (SOCs). This intelligent platform automates routine tasks, provides advanced analytics, and streamlines incident management processes. Now Assist offers features such as AI-driven summaries, automated resolution notes, and intelligent incident prioritization, enabling security analysts to focus on critical threat mitigation. By automating the creation of incident summaries, post-incident analysis, and resolution notes, Now Assist significantly reduces incident response time and improves accuracy. This not only boosts analyst productivity but also leads to substantial cost savings for organizations, potentially up to $400,000 annually for those handling 500 security incidents per week. With its ability to provide concise, structured summaries of security incidents and automate various aspects of the incident response lifecycle, Now Assist is transforming security operations and helping bridge the skills gap in cybersecurity.
Entry point to the official product documentation
The implementation guide helps implementers better adopt the product by providing the broader context with best practices for critical actions that need to be taken during an implementation.
Trainings & Courses
Now Assist for Security Incident Response (SIR) Implementation Bootcamp
This on-demand course provides an overview of the Now Assist for Security Operations application for ServiceNow. This course illustrates the Now Assist application, enabling security analysts to use intelligent workflows and ServiceNow generative AI skills to help them resolve security incidents. With Now Assist for SecOps, security managers can quickly review the context of security incidents and closure notes in a concise, easy-to-read format with the Now Assist for Security Operations application.
Articles & Blog Posts
2024-08-06 by @Miranda Ju
Now Assist for Security Operations is Generally Available!
We're excited to announce that our Generative AI product, Now Assist for Security Operations (SecOps), is now live on the ServiceNow Store! In our August release, we are thrilled to introduce three key features designed to enhance your experience:
- Security Incident Summarization
- Resolution Notes Generation
- Interactive Q&A in the Now Assist Panel
Vulnerability Response
ServiceNow Vulnerability Response synthesizes asset, severity, exploit, risk, and threat intelligence insights into automated workflows for fast, reliable prioritization and remediation. Integrations available on the App Store plug into multiple cloud, container,application testing, vulnerability assessment, OT/IT discovery, patch deployment, and asset management tools for fast time to visibility across your evolving attack surface. This unified understanding helps both minimize blind spots and continuously calculate potential exposure based on threat intelligence and asset attributes. Native configuration compliance shows whether managed assets are deployed within policy and includes workflows to fix flaws and improve the security posture.
Entry point to the official product information pages.
Entry point to the official product documentation.
Summarized overview in one PDF file.
What is vulnerability management?
More detailed information
Provides detailed guidance on the way that ServiceNow intends the process to-be.
Describes the inherent functionality of the product and outlines the technical components in the form of a diagram.
This Success Pack provides customers with prescriptive guidance to deliver a VR deployment with vulnerability scans data ingestion, automation, increased productivity, and enhance visibility into their enterprise.
Trainings & Courses
Vulnerability Response (VR) Implementation
This course covers Vulnerability Response essentials such as why customers need Vulnerability Response, what Vulnerability Response is, and how to properly implement Vulnerability Response. Participants will learn the common technical aspects of a Vulnerability Response implementation as well as experience various processes to effectively manage a Vulnerability Response implementation. Additionally, participants will learn tactical skills and strategies that will better prepare them to implement Vulnerability Response in a scalable, repeatable, and efficient manner.
Vulnerability Response Learning Bytes
This course is structured as a series of short, targeted learnings that focus on key topics and features. Each course in the series includes informative text, interactive graphics, etc.. As a learner, you can choose to take one or more courses, depending on your interests. New courses will be added often.
Articles & Blog Posts
2021-04-21 by @Chris McDevitt
Vulnerability Response and The Discovered Items Module
The Discovered Items module is a hidden gem that we can all use to enhance Vulnerability Response and potentially your CMDB.
2022-04-04 by @john_gibbons
Vulnerability Response CI matching can be a challenging and a difficult thing to get right. For effective CI matching there are a few key things to keep in mind. This article is intended to help you understand how to tune your CI Matching logic to work as effectively as possible with the data that you have available.
2022-04-04 by @Chris McDevitt
Incomplete IP Identified Devices and what to do with them
I have put down my thoughts on how to handle Incomplete IP Identified Devices.
2023-09-16 by @john_gibbons
ServiceNow Vulnerability Response Host Import Maps
Host Import Maps determine how and what scanner asset data is mapped to a target table and the target fields. This article is intended to help you understand how and when to utilize Host Import Maps.
2023-12-12 by @lanemclaughlin
ServiceNow Vulnerability Response Exploit Prediction Scoring System (EPSS)
ServiceNow's Vulnerability Response Exploit Prediction Scoring System (EPSS) provides a fundamentally new capability for efficient, data-driven vulnerability management. It’s a data-driven effort that uses current threat information from CVE and real-world exploit data. The EPSS model produces a probability score between 0 and 1 (0 and 100%), where the higher the score, the greater the probability that a vulnerability will be exploited.
Videos & Podcasts
2022-03-03 by ServiceNow Community
The critical importance of your CMDB for Vulnerability response
The success of your Vulnerability Response implementation relies heavily on your Configuration Management Database (CMDB). Learn why and how to get properly set-up in 10 minutes. In this first episode of the 2020 series on Vulnerability Response (VR), Rahimulah Rahimi, Technical Portfolio Manager, lays the ground work for all you need to know to be successful with VR.
2022-03-05 by ServiceNow Community
CI Matching for Vulnerability Response - How to get it right
The matching of your CMDB's Configuration Items (CIs) to the list of hosts and vulnerabilities brought in by your scanner is key to the success of your Vulnerability Response (VR) implementation. Learn how this works and how to do it right in 20 minutes.
2021-03-27 by ServiceNow Community
Vulnerability Response End to End Demonstration
This video walks you through ServiceNow Vulnerability Response and discusses the various aspects of the product.
2022-03-05 by ServiceNow Community
How To - Vulnerability Response
2022-04-22 by ServiceNow Community
ServiceNow Vulnerability Response and the CMDB
In this video, Leo Sequeira from the ServiceNow Customer Outcomes team discusses how Vulnerability Response and the CMDB complement one another as he answers some of the more common questions and concerns he's heard from customers.
2023-02-17 by ServiceNow Community
Container Vulnerability Management with ServiceNow Vulnerability Response
Learn how ServiceNow helps customers manage vulnerabilities in their cloud container environments
2023-11-15 by ServiceNow Community
Systematically Harden the Digital Attack Surface
Vulnerability Response helps our customers move from painfully manual, spreadsheet driven processes to automated digital workflows. It’s important to understand that helping Security and IT teams perform their work faster is very helpful, however most of the ROI will be in the reduction of business risk. The quicker vulnerabilities are patched, the less of a window attackers have to exploit them.
2023-12-02 by ServiceNow Community
Reduce Vulnerabilities in Infrastructure, Applications, Cloud, OT and Services
ServiceNow Vulnerability Response helps you view and respond to all vulnerabilities across all IT assets from a single pane of glass. Now you can view application vulnerabilities from DAST, SAST, SCA, and penetration testing findings from tools like Veracode, Snyk, Fortify, and Checkmarx.
2023-12-02 by ServiceNow Community
Systematically Harden the Digital Attack Surface
ServiceNow® Vulnerability Response synthesizes asset, severity, exploit, risk, and threat intelligence insights into automated workflows for fast, reliable prioritization and remediation. Integrations available on the App Store plug into multiple cloud, container, application testing, vulnerability assessment, OT/IT discovery, patch deployment, and asset management tools for fast time to visibility across your evolving attack surface. This unified understanding helps both minimize blind spots and continuously calculate potential exposure based on threat intelligence and asset attributes.
Security Incident Response
ServiceNow Security Incident Response, a security orchestration and automation response (SOAR) solution, helps you rapidly respond to evolving threats while optimizing and orchestrating enterprise security operations. Security Incident Response eliminates the errors and friction natural to manual handoffs across systems, teams and responsibilities. Integrations, playbooks, dashboards, and a common data model for enterprise case management expedite investigation, response, and remediation across IT, Security, and Risk teams to minimize incident impact, data loss, and exposure. This drives maturity of your security operations, and centralizes case management for threats, data loss events, and more.
Entry point to the official product information pages.
Entry point to the official product documentation.
Summarized overview in one PDF file.
More detailed information
What is the Mitre Att&ck Framework?
More detailed information
Provides detailed guidance on the way that ServiceNow intends the process to-be, for Security Incident Response (SIR).
Recommended Implementation Sequence
Specific guidance for Security Operations (SecOps) outlining which products to implement through the Foundational, Crawl, Walk, Run, and Fly phases to ensure Customer Success.
This Success pack will help with the implementation of SIR, designed to shift customers into Maturity Level 1 and align them to advance into the next phases of their customer journey.
Training & Courses
Security Incident Response Implementation
In this interactive course, attendees cover the domain knowledge, common implementation, technical aspects, and various processes needed to effectively manage a Security Incident Response (SIR) implementation.
Participants will learn and practice various tactical skills and strategies that will prepare them to implement SIR. Through lectures, group discussions, and hands-on labs, participants build on existing knowledge and skills by applying implementation best practices.
Security Incident Response (SIR) Workspace Bootcamp
The bootcamp on Security Incident Response (SIR) Workspace in ServiceNow is designed to provide individuals with an in-depth understanding of how to effectively manage and respond to security incidents using the ServiceNow SIR platform.
Articles & Blog Posts
2023-02-02 by @Madhumitha Redd
The all-new Security Incident Response Workspace is now live on store!
We heard you!!!! Say bye to the classic UI and the custom new UI. The re-imagined next-gen workspace for the Security Analysts is now available on the store.
2023-02-02 by @Prudhvi T
How to Create New Outcome Types in Security Incident Response Task?
Playbooks in Security Incident Response often use response tasks as a channel to guide the security analysts and expedite the resolution of security incidents. These playbooks rely on responses provided by the analyst via the response task "State" field and subsequently generate follow-up response tasks.
2023-08-10 by @Madhumitha Redd
Render flow based playbooks in the new SIR Workspace
If you have started using the new SIR workspace, and are in the journey of creating new processes for each of your playbooks built using Flow Designer, then this article is for you.
Videos & Podcasts
2021-12-16 by ServiceNow Community
Major Security Incident Management Demonstration
Learn all about the exciting new Major Security Incident Management, part of ServiceNow Security Incident Response. Watch this brief walkthrough of how to promote a security incident to a major security incident, and then get a quick tour of the workspace to see how Major Incident Managers can easily view all elements of the incident(s), collaborate with users across the organization, track artifacts, and report status to stakeholders.
2022-03-24 by ServiceNow Community
Data Loss Prevention Incident Response Demonstration
In this video, learn how ServiceNow Data Loss Prevention Incident Response (DLP IR) helps organizations like yours manage the DLP incidents across endpoint, email, network, and the cloud. View the DLP Analyst workspace and the end user workspace during the demonstration.
2022-03-28 by ServiceNow Community
Microsoft Defender for Endpoint integration with ServiceNow Security Incident Response
In this video, you'll learn about the integration between Microsoft Defender for Endpoint and ServiceNow Security Incident Response, along with seeing a brief demonstration of the functionality in action.
2022-05-11 by ServiceNow Community
Resolve Security Incidents Faster with ServiceNow and CrowdStrike
SOAR (Security Automation, Orchestration, and Response) is critical in helping organizations stay ahead of their adversaries. In this video, we’ll take a look at how ServiceNow partners with CrowdStrike to provide a more seamless, efficient experience for Security Analysts using automation, orchestration, and intelligence.
2023-01-30 by ServiceNow Community
How-To Transform Emails into Security Incidents
Learn how to streamline the security incident reporting process in ServiceNow using your email plugin. Discover how to set up the process that allows you to forward emails directly to your ServiceNow instance with just one click. in this demonstration the email will be parsed and automatically translated into a security incident, saving you time and increasing efficiency.
2023-02-02 by ServiceNow Community
Security Incident Response Workspace Demo
In this video, we will take a look at the new Security Incident Response Workspace from ServiceNow. This workspace helps security analysts resolve security incidents faster than ever before!
2023-04-11 by ServiceNow Community
Manage and Respond to Evolving Threats Across the Enterprise with ServiceNow
Security Incident Response helps our customers centralize their incident handling work and automate repetitive manual processes. This results in not only a better user experience of incident handlers, but also critical improvements in resolution time and analytical capabilities. It’s important to understand that helping Security and IT teams perform their work faster is very helpful, however the majority of the ROI will be in the reduction of business risk. The quicker security incidents are handled, the less of a chance there is of a breach or service outage.
2023-09-26 by ServiceNow Community
ServiceNow Security Incident Response helps organizations centralize their incident handling work and automate repetitive manual processes. This results in not only a better user experience of incident handlers, but also critical improvements in resolution time and analytical capabilities. It’s important to understand that helping Security and IT teams perform their work faster is very helpful, however the majority of the ROI will be in the reduction of business risk. The quicker security incidents are handled, the less of a chance there is of a breach or service outage.
2023-12-07 by ServiceNow Community
Major Security Incident Management (MSIM) - Tips for Successful Deployment
Join us in a special SecOps community webinar dedicated to Major Security Incident Management (MSIM). For those of you who have implemented MSIM (or are planning to do so) this session is the ONE not to miss!
2023-12-07 by ServiceNow Community
Optimize and Orchestrate Enterprise Security Operations
ServiceNow® Security Incident Response, a security orchestration and automation response (SOAR) solution, helps you rapidly respond to evolving threats while optimizing and orchestrating enterprise security operations. Security Incident Response eliminates the errors and friction natural to manual handoffs across systems, teams and responsibilities. Integrations, playbooks, dashboards, and a common data model for enterprise case management expedite investigation, response, and remediation across IT, Security, and Risk teams to minimize incident impact, data loss, and exposure. This drives maturity of your security operations, and centralizes case management for threats, data loss events, and more.
Configuration Compliance
This feature helps organizations identify, prioritize, and remediate vulnerable misconfigured software in deployment-stage assets. It integrates with third-party Secure Configuration Assessment (SCA) tools to import configuration tests, authoritative sources, and test results into ServiceNow. The application automatically prioritizes failed configuration tests by matching them against assets in the Configuration Management Database (CMDB), considering both the severity of the misconfiguration and the criticality of the affected asset. This allows security teams to focus on addressing the most critical issues first. Configuration Compliance streamlines the remediation process by enabling the creation of IT change tickets directly from test result groups or associating test results with existing change requests in ServiceNow IT Service Management. The feature also provides real-time visibility into configuration issues through a dashboard and can feed data into ServiceNow Governance, Risk, and Compliance for ongoing risk monitoring. By automating the identification and remediation of misconfigurations, Configuration Compliance helps organizations reduce their attack surface and maintain compliance with corporate and regulatory policies.
Entry point to the official product documentation.
Summarized overview in one PDF file.
Training & Courses
Configuration Compliance Essentials
ServiceNow's Configuration Compliance application allows an organization to prioritize, manage and remediate software configuration issues and the vulnerabilities that arise from misconfiguration. Configuration Compliance Essentials covers the basics of how to set up Configuration Compliance for your organization, the impacts of third-party scanners and the data they import, and how to strategize and remediate test results.
