Security Operations common functionality

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Operations Common Functionality

    The Security Operations common functionality is activated alongside plugins for Security Incident Response, Vulnerability Response, Threat Intelligence, and Configuration Compliance. The Security Support Common plugin enables shared modules across these applications, accessible to users with the[snseccmn.admin]role. This role is granted when assigned an administrative role in any Security Operations application.

    Show full answer Show less

    Key Features

    • Integration Support: Includes instructions for activating plugins and configuring both ServiceNow and third-party integrations, as well as guidelines for developing custom integrations.
    • Email Processing: Allows integration with external detection systems, manages unmatched emails, and prevents record duplication.
    • Filter Groups: Enables the creation and use of filter groups for locating records based on specific criteria.
    • Escalation Paths: Facilitates the creation of escalation paths for security incidents requiring additional attention.
    • Workflows: Provides visibility into security workflows and allows creation from templates using the Workflow Editor.
    • Field Mapping and Value Transforms: Supports the transformation and mapping of data between Security Operations tables and other tables, ensuring standardized data formats.
    • On-Demand Orchestration: Allows execution of tasks driven by security incident workflows.
    • Domain Separation: Enables customization of application functions across different domains through property overrides.
    • Security Tags: Allows the assignment of tags to manage access to security records and organize security groups.
    • Search Functionality: Utilizes the Zing search engine for quick information retrieval across Security Operations applications.

    Key Outcomes

    Utilizing the features of the Security Operations common functionality empowers organizations to efficiently manage security incidents, streamline workflows, and enhance integration capabilities with external systems. This results in improved incident response times, better data management, and a more organized approach to security operations management.

    Whenever any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated. This plugin loads various modules that provide functionality that is common across all Security Operations applications.

    Note:
    Only users with the [sn_sec_cmn.admin] can view and use the Security Operations module. This role is inherited when you are assigned an administrative role in any of the Security Operations applications.

    Security Operations Modules

    Feature Description
    Security Operations Integration Reference, Threat Intelligence integrations, Vulnerability Response integrations Several integrations are included with the Security Operations applications (Security Incident Response, Threat Intelligence, and Vulnerability Response). This section provides instructions for activating the plugins and configuring both ServiceNow and third-party integrations. Also included are some basic guidelines for developing your own integrations, as well as details on specific integrations included in the base system.
    Security Operations email processing You can set up the integration of information from external detection systems, provide granularity in processing security operations records, handle unmatched emails, and prevent duplication of records using Email Processing.
    Groups
    • Filter Groups

      Create and use filter groups to locate records from any table on your instance. For example, you can create a group of all computers by the same manufacturer. You can also filter configuration items (CIs) that have similar vulnerabilities or that fall within a particular subnet IP address range.

    • Escalations

      You can create an escalation path for security incidents for issues requiring more attention or expertise. Once an escalation group exists, a button appears on any security incident in that group.
    Security Tags

    Tags: Security tag rules provide filtering for security tag access.
    Workflows
    • View Security Workflows

      You can view the many workflows included with the Security Operations applications. You can create workflows from templates and in the Workflow Editor.

    • Workflow Triggers

      Security Operations workflow triggers contain a condition on a table. All workflows attached to the workflow trigger record run when the condition is met.
    Utilities
    • Enrichment Data Mapping

      Enrichment Data Mapping transforms data from XML, JSON, or Properties files to ServiceNow records. Security Operations workflows use enrichment data maps and provide output data to security incidents.

    • Field Value Transforms

      Transforms unique customer field values into field values recognized by Security Operations email parsing, data enrichment or tables using field maps. Supports choice fields, references, and aligns external data into the standard terminology and format for your new record.

    • Field Mapping

      Security Operations tables can be mapped to and from other tables, linking a security incident to a customer service case or a problem to other parts of the Security Operations system. For example, you can integrate a plugin to a Security Incident Response task.

    • On-Demand Orchestration

      During Security Incident Response analysis, a security analyst may want to perform a task that is driven by a security incident workflow. For example, run a process dump on a particular CI. This can be accomplished with on-demand orchestration.

    • Operating Systems Groups

      NA.

    • SecOps Application Registry

      NA.
    CMDB

    CI Identifier Rules: CI identifiers are rules used to lookup a configuration item (CI) in the CMDB that contains matching information from a third-party integration. These rules define the fields that contain matching data and the order of precedence by which they are evaluated. The lowest Order value is evaluated first.