Security incidents created from events and alerts

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security incidents created from events and alerts

    This functionality enables ServiceNow customers to automatically or manually create security incidents from events and alerts imported from monitoring tools. Events are processed by Event Management, grouped into alerts, and then used to generate security incidents based on customizable alert rules or manual selection. This integration supports efficient incident management by linking security events directly to actionable incidents.

    Show full answer Show less

    Key Features

    • Automatic Incident Creation: A sample alert rule named Create security incidents from critical alerts is provided, which automatically creates security incidents when critical security-related events are detected from ServiceNow or third-party monitoring systems.
    • Manual Incident Creation: Users with the Security Admin role can manually create security incidents from suspicious alerts by using the Create Security Incident button.
    • Customizable Alert Rules: Multiple alert rules with different conditions can be defined to handle various types of security incidents.
    • Task Template Modification: The initial values of security incidents created by alert rules can be modified through task templates within the alert rules.
    • Event Data Requirements: Events from external tools must include key information:
      • Node: Name, IP address, or sysid of the Configuration Item (CI) affected.
      • Event Classification: Must be set to “Security” to differentiate from other IT events.
      • Event Description: Populates the security incident’s description field.
      • Additional Information: Optional JSON-formatted string with extra details such as category, attack vectors, or correlation ID.

    Key Outcomes

    • Security incidents are automatically or manually created, ensuring timely investigation and response to security events.
    • Fields in the security incident record, including custom fields, can be populated or updated based on event data, improving incident context and tracking.
    • Work notes capture event details and any changes made to the security incident, supporting audit trails and collaboration.
    • Ensures clear differentiation of security events from other IT events, enabling focused and efficient incident management.

    As events are imported from alert monitoring tools, they are first processed by Event Management and grouped into alerts. These alerts can be used to create security incidents based on customizable alert rules, or manually reviewed to select those alerts to be investigated as a security incident.

    You can find a sample alert rule called Create security incidents from critical alerts in the Alert Rules module of the Event Management application. This alert rule automatically creates security incidents when critical security-related events are received from within ServiceNow or from third-party monitoring applications. After the security incident has been created, it will be updated as new events are received. You can modify the task template in the alert rule to change the initial values for the security incident created by this alert rule. To handle each distinct variety of security incident that you would like to create, you can define other alert rules with different conditions.

    Alternatively, if you are a user with the Security Admin role, you can manually create a security incident by clicking the Create Security Incident button from any suspicious alert.

    It is important that the events received from external tools include the following information:
    • The node set to the name, IP address, or sys_id of the CI that becomes the affected resource.
    • The event classification is set to Security to distinguish them from other IT events.
    • The event description, which populates the description of the security incident.
    • The additional information can include any extra information that does not fit into the previously listed fields or other event fields, such as the category, attack vectors, return URL, or correlation ID. The format is a string that lists field names along with their values, using the following JSON format:
      { "fieldName" : "fieldValue", "fieldName" : "fieldValue" }
    Note:
    For each field and value pair, if the field in the security incident where the column name matches the fieldName is empty, it is set to the fieldValue. If the field in the security incident is not empty, it is not changed. In either case, the event and all the fields and values encoded in the additional information are recorded in a work notes entry describing the event. If nothing changes in the security incident, a work note entry is not created. Any fields in a security incident, including custom fields you add to the table, can be set.