Security Operations common functionality

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Security Operations Common Functionality

    The Security Operations Common plugin is activated when any of the main Security Operations applications, such as Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance, are enabled. This plugin facilitates common functionalities across these applications and is only accessible to users with thesnseccmn.adminrole, which is granted with administrative roles in Security Operations applications.

    Show full answer Show less

    Key Features

    • Integrations: Includes out-of-the-box integrations for Security Incident Response, Threat Intelligence, and Vulnerability Response. Provides guidance for activating plugins and configuring third-party integrations.
    • Email Processing: Facilitates the integration of information from external detection systems, ensuring precise record processing and preventing duplication.
    • Filter Groups: Enables the creation of filter groups to easily locate records by criteria, such as manufacturer or IP address range.
    • Escalations: Allows the establishment of escalation paths for security incidents requiring specialized attention.
    • Workflows: Offers various pre-built workflows and the ability to create custom workflows using templates.
    • Data Mapping and Transformation: Supports the transformation of external data into ServiceNow records and aligns field values with recognized formats for better integration and processing.
    • Domain Separation: Customizes application functionalities through domain-separated property overrides.
    • Security Tags: Assigns tags to various security records to manage access and create metadata for better organization.
    • Search Functionality: Utilizes Zing, a text indexing engine, to enable quick information retrieval across Security Operations applications.

    Key Outcomes

    By leveraging the functionalities offered by the Security Operations Common plugin, ServiceNow customers can enhance their incident response capabilities, improve data integration, and streamline security operations through customizable workflows and effective record management. These features contribute to a more efficient and responsive security posture across the organization.

    Whenever any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated. This plugin loads various modules that provide functionality that is common across all Security Operations applications.

    Note:
    Only users with the [sn_sec_cmn.admin] can view and use the Security Operations module. This role is inherited when you are assigned an administrative role in any of the Security Operations applications.

    Security Operations Modules

    Feature Description
    Security Operations Integration Reference, Threat Intelligence integrations, Vulnerability Response integrations Several integrations are included with the Security Operations applications (Security Incident Response, Threat Intelligence, and Vulnerability Response). This section provides instructions for activating the plugins and configuring both ServiceNow and third-party integrations. Also included are some basic guidelines for developing your own integrations, as well as details on specific integrations included in the base system.
    Security Operations email processing You can set up the integration of information from external detection systems, provide granularity in processing security operations records, handle unmatched emails, and prevent duplication of records using Email Processing.
    Groups
    • Filter Groups

      Create and use filter groups to locate records from any table on your instance. For example, you can create a group of all computers by the same manufacturer. You can also filter configuration items (CIs) that have similar vulnerabilities or that fall within a particular subnet IP address range.

    • Escalations

      You can create an escalation path for security incidents for issues requiring more attention or expertise. Once an escalation group exists, a button appears on any security incident in that group.
    Security Tags

    Tags: Security tag rules provide filtering for security tag access.
    Workflows
    • View Security Workflows

      You can view the many workflows included with the Security Operations applications. You can create workflows from templates and in the Workflow Editor.

    • Workflow Triggers

      Security Operations workflow triggers contain a condition on a table. All workflows attached to the workflow trigger record run when the condition is met.
    Utilities
    • Enrichment Data Mapping

      Enrichment Data Mapping transforms data from XML, JSON, or Properties files to ServiceNow records. Security Operations workflows use enrichment data maps and provide output data to security incidents.

    • Field Value Transforms

      Transforms unique customer field values into field values recognized by Security Operations email parsing, data enrichment or tables using field maps. Supports choice fields, references, and aligns external data into the standard terminology and format for your new record.

    • Field Mapping

      Security Operations tables can be mapped to and from other tables, linking a security incident to a customer service case or a problem to other parts of the Security Operations system. For example, you can integrate a plugin to a Security Incident Response task.

    • On-Demand Orchestration

      During Security Incident Response analysis, a security analyst may want to perform a task that is driven by a security incident workflow. For example, run a process dump on a particular CI. This can be accomplished with on-demand orchestration.

    • Operating Systems Groups

      NA.

    • SecOps Application Registry

      NA.
    CMDB

    CI Identifier Rules: CI identifiers are rules used to lookup a configuration item (CI) in the CMDB that contains matching information from a third-party integration. These rules define the fields that contain matching data and the order of precedence by which they are evaluated. The lowest Order value is evaluated first.