Security Incident Response - are integrations necessary
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2024 01:48 PM
Hi SecOps community,
We are exploring the Security Incident Response module in our DEV environment, we are looking to track phishing emails and vulnerabilities for patching. It seems like tracking vulnerabilities is part of the Vulnerability Response plugin and not part of the Security Incident Response module. From my understanding, Security Incident Response module is efficient only if we integrate with some sort of SIEM to track these incidents/threats. Without integrating an SIEM, Security Incident Response would be lacking in capabilities.
Am I understanding the Security Incident Response module correctly?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-12-2024 05:06 AM
Vulnerability Response, correct, is not the same as Security Incident Response and are 2 separate products within Security Operations. It is meant to drive remediation of vulnerabilities from an integration with your Scanner. You can still use Security Incident Response without SIEM integration, but I would say that's it main purpose to create SIEM alerts/incidents into actionable ServiceNow Security Incidents. However, your business case for tracking phishing emails is a perfect case for Security Incident Response. There is pre-built Email Processing and Phishing Email capabilities. With Email Processing and Parsers you can convert inbound emails to security incidents and with User-Reported Phishing Emails.
Here is a docs link to creation of Security Incidents; https://docs.servicenow.com/csh?topicname=si-creation.html&version=latest
Here is a docs link to creation from user-reported phishing email; https://docs.servicenow.com/csh?topicname=urp-about.html&version=latest
