Quick links section

Zurich Security Management
Release
zurich
ft:locale
en-US
ft:publication_title
Zurich Security Management
ft:clusterId
security
bundleId
security
workflow
Technology
  • Security Operations
  • Exploring Security Operations
  • Now Assist for Security Incident Response
  • Explore
  • Supporting information
  • Configure
  • Configure a skill
  • Configure the Security incident quality assessment skill
  • Configure the Security incident resolution plan skill
  • Customize a skill
  • Inputs and triggers
  • Use generative AI skills
  • Summarize a security incident
  • Generate closure notes
  • Generate recommended actions
  • Generate a post-incident analysis
  • Explore correlation insights
  • Generate correlation insights from the Security Incident Response Workspace with Now Assist for Security Incident Response
  • Generate correlation insights in the Now Assist panel with Now Assist for Security Incident Response
  • Explore Security incident quality assessment
  • Generate a quality assessment report
  • Request generative AI skills
  • Use agentic workflows
  • Close security incidents
  • Close a security incident
  • Resolve security incidents
  • Resolve a security incident
  • Analyze security operations metrics
  • Analyze security operations metrics agentic workflow
  • Generate SIR Shift Handover Report
  • Add security incident to shift handover report
  • Now Assist for Vulnerability Response
  • Explore AI skills and agentic workflows
  • Supporting information
  • LLM-powered SIR integration builder
  • Explore
  • Install
  • Use SIR Integration Builder
  • Add an integration
  • Add application details
  • Add connection details
  • Add capability details
  • Add APIs
  • Review integration
  • Verify capabilities in ServiceNow Studio
  • Use capabilities in SIR Workspace
  • Edit an integration
  • SIR Integration Builder reference
  • Prompt Data table
  • Unified Security Exposure Management
  • Explore
  • Security Exposure Management Workspace
  • Administration view
  • Visualization library
  • AI Exposures
  • Cloud Exposure view
  • Approvals view
  • Finding view
  • Remediation view
  • List view
  • Watch topics
  • Health Dashboard
  • Now Assist in Unified Security Exposure Management
  • Generative AI skills
  • Agentic workflows
  • Security Exposure Management workflow
  • Automating prioritization and triaging
  • Associating finding with a configuration item using lookup rules
  • Managing unmatched configuration items (CIs)
  • Managing unclassed hardware
  • Steps to help prevent duplicate or orphaned records after running lookup rules
  • Categorizing findings and discovered items using classification rules
  • Prioritizing vulnerabilities and other findings using roll-up calculators
  • Vulnerability Response Rollup Calculators
  • Assigning findings to remediation teams using assignment rules
  • Removing assignments from findings and remediation tasks
  • Defining your own service level agreements (SLAs) using remediation target rules
  • Deferring findings automatically without manual intervention using exception rules
  • Grouping multiple findings as remediation tasks for easy processing using remediation task rules
  • Closing stale detections and findings automatically using auto-close rules
  • Deleting stale findings automatically using auto-delete rules
  • Controlling the ingestion volume with automatic exclusion
  • Severity mapping for Unified Security Exposure Management
  • Creating CIs using the Identification and Reconciliation engine
  • Updating CI class for unmatched cloud assets
  • Implement
  • Installing Security Exposure Management Workspace applications
  • Migration upgrade prerequisites
  • Install Unified Security Exposure Management
  • Download and activate applications
  • Security Exposure Management Workspace Roles
  • Access control lists (ACLs) for administration rules
  • Security Exposure Management Workspace personas and granular roles
  • Assign the Vulnerability Response persona roles using Setup Assistant
  • Manage persona and granular roles for Vulnerability Response
  • Configure rules to manage findings
  • Configuring lookup rules
  • Configuring classification rules
  • Configuring roll-up calculator rules
  • Configuring assignment rules
  • Configuring remediation target rules
  • Configuring an exception rule
  • Create an exception rule
  • Approve an exception rule request
  • Activating an exception rule
  • Reopen an exception rule
  • Update an approved exception rule
  • Delete an exception rule
  • Define fields and weights for the risk rule for Unified Security Exposure Management risk calculators
  • Configuring remediation task rules
  • Configuring auto-close rules
  • Configuring auto-delete rules
  • Configuring exclusion rules
  • Create or edit exclusion rules
  • Approve or reject an unassign request
  • Approval workflow configurations for unassign request
  • Configure AI skills and agentic workflows
  • Configure a skill
  • Configure an agentic workflow
  • Configure AI Security Exposure Management
  • Configure Exception Management for Security Exposure Management
  • Request an exception using GRC: Policy and Compliance Management
  • Specify the duration of an exception requested for a remediation task
  • Configure email notifications in Unified Security Exposure Management
  • Configure email templates in Unified Security Exposure Management
  • Configure a severity map in the Security Exposure Management Workspace
  • Configure Visualization library
  • Create a custom widget
  • Update a widget
  • Localize widget titles
  • Configure users and groups in Security Exposure Management Workspace
  • Add groups to a role
  • Add users to a role
  • Set up security tag groups and tags
  • Create security tag rules
  • Import security tag rules
  • Integrations
  • Review Unified Security Exposure Management integrations
  • Use
  • Create a dashboard in the Findings view page
  • Evaluate vulnerability exposure data with Security Exposure 360
  • AI Security Exposure Management
  • Using the AI guardrails helper skill and agentic workflow
  • Use the AI guardrails helper agentic workflow
  • Use the AI guardrails helper skill
  • Generate vulnerability insights with generative AI
  • Retrieve Vulnerability and exposure data with generative AI
  • Assess vulnerability exposure with generative AI
  • Identify duplicate vulnerable items with generative AI
  • Approval recommendations using generative AI
  • Generate approval recommendations with generative AI
  • Suggest vulnerability solutions with generative AI
  • Analyze remediation status with generative AI
  • Creating an API connector with a generative AI skill
  • Create an API connector with a generative AI skill
  • Reclassify unclassed hardware
  • Bulk edit in the Security Exposure Management Workspace
  • Using bulk edit in the Security Exposure Management Workspace
  • Update the state of records in bulk in the Security Exposure Management Workspace
  • Bulk edit host vulnerable items with patches and solutions
  • Assign records to an assignment group in bulk
  • Remove assignments for host vulnerable items in bulk
  • Request bulk exception in the Security Exposure Management Workspace
  • Bulk edit risk reduction
  • Bulk edit risk reduction restrictions
  • Request risk reduction for findings
  • Bulk edit for false positive in the Security Exposure Management Workspace
  • Close records in bulk in the Security Exposure Management Workspace
  • Use the List view in the Security Exposure Management Workspace
  • Create a customized list of records
  • Create a remediation task manually in the Security Exposure Management Workspace
  • Enable or disable the import of test results for a Qualys test group
  • Modify the severity for a CVE or TPE
  • Use Remediation Effort records
  • Create a remediation effort in the Security Exposure Management Workspace
  • Create a remediation task on-demand from Remediation Effort in the Vulnerability Manager Workspace
  • Create a recurring remediation effort in the Security Exposure Management Workspace
  • Transfer records to remediation efforts in the Security Exposure Management Workspace
  • Approve or reject requests in the Security Exposure Management Workspace
  • Add a compensating control to the library
  • Associate compensating controls with CVEs or TPEs for risk reduction requests
  • Disable or enable risk reduction for a CVE or TPE
  • Examples for remediation task creation in the Security Exposure Management Workspace
  • Exception Management Overview
  • Approver roles required for Security Exposure Management Workspace
  • Questionnaire support in Exception Management via Smart Assessment
  • Questionnaire Configuration form fields
  • Configure an assessment template
  • Use case for False positive or Request Exception Questionnaire
  • Defer a Remediation task
  • Request an extension for a deferred remediation task
  • Request a false positive for a vulnerable item or remediate task
  • Unified Approvals View
  • Add an approver
  • Configure Approval List and Form View
  • Reviewing an Approval Request
  • Review questionnaire to approve or reject requets
  • Employee service center for Vulnerability Response
  • Managing Approvals via the Employee Service Center
  • Unified Approval Rules Overview
  • Create or edit approval rules
  • Create or edit approval levels
  • Create a change request in the Remediation view
  • Reference
  • Security Exposure Management Workspace Components
  • Security Exposure Management Workspace Roles
  • Security Exposure Management Workspace Tables
  • Security Exposure Management Workspace Scheduled Jobs
  • References for generative AI
  • Prompts for the Retrieve Vulnerability Response data agentic workflow
  • Assess vulnerability agentic workflow AI agent collection
  • Remediation workflow AI agent collection
  • Security Exposure Management Knowledge Base articles
  • Security Exposure Management Workspace remediation task rule examples
  • Migration upgrade reference information
  • Security Exposure Management Workspace Roles
  • Visualization widget fields
  • Re-evaluating the exceptions for selected records in the Security Exposure Management Workspace
  • Vulnerability Response
  • Explore
  • Migrating to USEM
  • USEM migration planning
  • Installation of Vulnerability Response and supported applications
  • Vulnerability Response personas and granular roles
  • Vulnerability Response assignment rules overview
  • Vulnerability Response remediation tasks and remediation task rules overview
  • Vulnerability Response remediation target rules
  • Vulnerability classification groups and rules
  • Machine Learning solutions for Vulnerability Response
  • CI lookup rules for identifying configuration items from Vulnerability Response third-party vulnerability integrations
  • Unclassed hardware
  • Unmatched CIs
  • Creating CIs for Vulnerability Response using the Identification and Reconciliation engine
  • Updating CI class for unmatched cloud assets
  • Discovered Items
  • CI changes for discovered items
  • Re-evaluating discovered items
  • Vulnerability Response remediation task and vulnerable item states
  • Vulnerable item age calculation and display
  • Removing assignments from vulnerable items and remediation tasks
  • Vulnerability Response calculators and vulnerability calculator rules
  • Vulnerability Response vulnerable item detections from third-party integrations
  • Vulnerability Solution Management
  • Microsoft Security Response Center Solution Integration
  • Red Hat Solution Integration
  • Rapid7 solution management
  • Generic framework to ingest data from any solution vendor
  • Patch orchestration with Vulnerability Response
  • Exception Management overview
  • Exception rules overview
  • Exclusion rules overview
  • False Positive overview
  • Questionnaire support in Exception Management via Smart Assessment
  • Configure Assessment template
  • Smart Assessment workflow
  • Questionnaire for False positive or Request Exception
  • Watchdog for Vulnerability Response
  • Change management for Vulnerability Response
  • Software exposure assessment using Software Asset Management (SAM Foundation)
  • Vulnerability Crisis Management
  • Domain separation and Vulnerability Response
  • Service Mapping in Vulnerability Response
  • Vulnerability Response implementation
  • Migrate to USEM
  • Install Vulnerability Response
  • Components installed with Vulnerability Response
  • Configuring Vulnerability Response using the Setup Assistant
  • Assign the Vulnerability Response persona roles using Setup Assistant
  • Manage persona and granular roles for Vulnerability Response
  • Install Vulnerability Response third-party applications using Setup Assistant
  • Importing data with the NVD and CWE integrations and managing third-party libraries
  • Install the Solution Management for Vulnerability Response application
  • Install Performance Analytics for Vulnerability Response
  • Vulnerability Response applications and CSDM tables
  • Create or edit Vulnerability Response assignment rules
  • Create a Vulnerability Response assignment rule using ML
  • Create a Vulnerability Response assignment rule for service support
  • Create or edit Vulnerability Response remediation task rules
  • Define fields and weights for the risk rule for Vulnerability Response Risk Calculators
  • Vulnerability Response Rollup Calculators
  • Create or edit a Vulnerability Response remediation target rule
  • Recalculate RT date
  • Examples
  • Configure installed third-party integrations using the Setup Assistant
  • Configure installed solution integrations for Vulnerability Solution Management using Setup Assistant
  • Configure the MS TVM Vulnerability Integration using Setup Assistant
  • Configure the Qualys Vulnerability Integration using Setup Assistant
  • Configure the Tenable Vulnerability Integration using Setup Assistant
  • Setting up vulnerability solution providers
  • Prepare solution integration checklist
  • Preparing the Common Vulnerability Reporting Framework (CVRF) solution integration
  • Preparing the Common Security Advisory Framework (CSAF) solution integration
  • Configure vulnerability solution providers
  • Common Vulnerability Reporting Framework (CVRF)
  • Import Common Vulnerability Reporting Framework data through file import
  • Configure Connection and Credential aliases
  • Configure a Common Vulnerability Reporting Framework vendor other than Cisco
  • Import Common Vulnerability Reporting Framework data from advisories
  • Import Common Vulnerability Reporting Framework (CVRF) data through CVRF URL
  • Troubleshooting Common Vulnerability Reporting Framework data import
  • Common Security Advisory Framework (CSAF)
  • Import Common Security Advisory Framework data through file import
  • Configure Connection and Credential aliases for the Common Security Advisory Framework (CSAF)
  • Configure a Common Security Advisory Framework vendor other than Red Hat
  • Import Common Security Advisory Framework data from advisories
  • Import Common Security Advisory Framework (CSAF) data through CSAF URL
  • Troubleshooting Common Security Advisory Framework data import
  • Additional Vulnerability Response setup and configuration tasks
  • Quick start tests for Vulnerability Response
  • Run the Automated Test Framework (ATF) test suite for Vulnerability Response
  • Install Vulnerability Assignment Recommendations for Vulnerability Response
  • Configure Vulnerability Assignment Recommendations for Vulnerability Response
  • Create and train a solution definition for Vulnerability Response
  • Create a Vulnerability Response calculator
  • Disable the default vulnerability calculator if not used
  • Create, enable, or, modify Vulnerability Response auto delete rules
  • Add vulnerability significance charts to the Vulnerability Response homepage
  • Define Vulnerability Response email notifications
  • Define Vulnerability Response email templates
  • Create or edit remediation target notifications
  • Configure the Vulnerability Exposure Assessment
  • Configure Exception Management for Vulnerability Response
  • Add an exception approver
  • Configure approval rules for Exception Management
  • Create configurations for an approval rule
  • Create approval levels for Exception Management
  • Exception management workflow versus flow designer
  • Add a false positive approver
  • Configure questionnaire for risk reduction
  • View Vulnerability Response SLAs for remediation tasks
  • Configure watchdog
  • Configure maximum rows in related list
  • Advanced Vulnerability Response configuration tasks
  • Create domain-separated imports for an integration
  • Create and support multiple domains in the background jobs framework
  • Create a Vulnerability Response CI lookup rule
  • Ignore CI classes
  • Filter decommissioned CIs
  • Auto-promote CIs
  • Detection key configurations for Vulnerability Response
  • Run detection key configuration
  • Configure the vulnerable item key
  • Adding proof to Rapid7 vulnerable item keys
  • Delete all your vulnerable item records and related data in Vulnerability Response
  • Filtering within Vulnerability Response
  • Severity mapping for Vulnerability Response
  • Create a Vulnerability Response severity map
  • Define service classifications for Vulnerability Response reporting and related lists
  • Audit selected fields in the vulnerable items table
  • Vulnerability Response background job framework configuration
  • Define background job configurations in Vulnerability Response
  • Advanced parallel processing for background jobs in Vulnerability Response
  • Integrate
  • AWS Integration for Security Exposure Management
  • Integrations
  • Set up requirements in AWS
  • Install
  • Configure the integrations
  • AWS Inspector data filters
  • AWS Security Hub data filters
  • Reference
  • AWS Inspector data mapping
  • AWS Security Hub data mapping
  • NVD integrations
  • Prepare
  • Run the CWE scheduled job
  • Install the NIST Integration
  • Use
  • Import NVD data manually
  • View NVD import status
  • Add CVEs to third-party entries
  • View libraries
  • Central Vulnerability Database
  • Integrations for Central Vulnerability Database
  • Central Vulnerability Database: versions and dependencies
  • Activate the ENISA EUVD integration
  • Activate the Japanese Vulnerability Notes Integration
  • View the Integrations for Central Vulnerability Database Import Run Status
  • View Central Vulnerability Database vulnerability data
  • Roles and permissions for Integrations for Central Vulnerability Database
  • CISA Known Exploit Vulnerability (KEV) Integration
  • Prepare
  • Install
  • Exploit Prediction Scoring System integration
  • Configure and use
  • Add EPSS Score condition in Risk calculator Business Rule
  • Microsoft Defender Integration for Security Exposure Management
  • Microsoft Threat and Vulnerability Management
  • Preparing for the Microsoft Threat and Vulnerability Management Vulnerability Integration
  • Set up Microsoft Azure for the MS TVM integration
  • Install and configure the Vulnerability Response Integration with the MS TVM application using Setup Assistant
  • Data retrieval settings for the Microsoft Threat and Vulnerability Management Integration
  • REST messages for the Microsoft Threat and Vulnerability Management Vulnerability Integration
  • Data transformation for the Microsoft Threat and Vulnerability Management Vulnerability Integration
  • Integration run status chart for the Microsoft Threat and Vulnerability Management Vulnerability Integration
  • Verify the Microsoft Threat and Vulnerability Management integration import run status
  • Split Microsoft TVM detections based on the vulnerability instance to split vulnerable items
  • Microsoft Defender
  • Migrate from Microsoft Defender for Cloud Integration
  • Install and configure
  • Integration imports
  • HCL BigFix Integration
  • Integrations and dependencies
  • Prepare
  • Install
  • Configure
  • Use to view patch data
  • Schedule patches
  • REST messages
  • Data transformation
  • Example workflow
  • Microsoft SCCM Patch Orchestration Integration
  • Integrations and dependencies
  • Prepare
  • Install
  • Configure the Vulnerability Response Patch Orchestration with Microsoft SCCM integration
  • Use to view patch data
  • Schedule patches
  • REST messages
  • Data transformation
  • Example workflow
  • Qualys Vulnerability Integration
  • Prepare
  • Install
  • Activate the Qualys scanners
  • Use
  • Update configuration items
  • Optional Qualys modifications
  • Advanced Qualys configurations and modifications
  • Vulnerability metadata
  • Import additional metadata
  • Qualys metadata values for vulnerabilities
  • Set additional import filters
  • Resolving integration issues
  • Reporting
  • Integration run status chart
  • Data transformation
  • Dynamic Search List Import
  • Static Search List Import
  • Asset Group Import
  • Appliance Import
  • REST messages
  • Split Qualys detections based on vulnerability instance
  • Installed components
  • Rapid7 Vulnerability Integration
  • Prepare
  • Set up for the data warehouse Integration
  • Set up for the InsightVM Integration
  • Install
  • Configure
  • Filtering by Rapid7 sites
  • Prepend SITE to your Rapid7 InsightVM site tags
  • Use
  • Viewing the run status chart
  • View the dashboard
  • Deduplicate vulnerable items
  • Initiate rescans
  • Set additional filters
  • Shodan Exploit Vulnerability Integration
  • Prepare
  • Install
  • Configure
  • Use
  • View import run status
  • Tenable Vulnerability Integration
  • Tenable.io integrations with the Vulnerability Response and Configuration Compliance applications
  • Tenable.sc integrations with the Vulnerability Response application
  • Tenable.cs
  • Prepare
  • Install
  • Use
  • Data retrieval settings
  • REST messages
  • Data transformation
  • Set import filters
  • Reporting
  • Integration run status
  • Initiate Rescan – Tenable.sc
  • Initiate Rescan – Tenable.io
  • Network partition update
  • Modify import settings
  • Split Tenable detections
  • Configure Test Result Granularity
  • Initiate Rescan – Tenable.sc
  • Initiate Rescan – Tenable.io
  • Network partition update
  • Modify import settings
  • Split Tenable detections
  • Configure Test Result Granularity
  • Compliance test uniqueness key
  • Configure compliance test uniqueness key
  • Atlassian Jira Integration
  • Prepare
  • Install
  • Configure
  • Create agile issue manually using list action
  • Create agile issue manually using form action
  • Use
  • Synchronize status of the Jira issue
  • Configure scheduler to create issues automatically
  • Configure scheduler to update issues automatically
  • Configure scheduler to synchronize the Jira status to ServiceNow automatically
  • Palo Alto Prisma Cloud Compute Integration
  • Prepare
  • Install
  • Configure
  • Reference
  • Wiz Vulnerability Response Integration
  • Install
  • Configure
  • Activate the Wiz Asset Integration and identify resource types for import
  • Filter host vulnerabilities
  • Filter container vulnerabilities
  • Configure container vulnerable item keys
  • Filter test results
  • Filter issues
  • Filter host test results
  • Configure the Application List, SCA and Secret integrations
  • Backfill integrations
  • Use
  • Field mapping
  • Manually create a vulnerability integration
  • Define a new vulnerability integration
  • Vulnerability integration script
  • Single call integrations
  • Multiple call integrations
  • Attachments as retrieveData() return values
  • Report processor strategies
  • Use the data source attachment report processor strategy
  • About custom report processor scripts
  • Integration factory script fields
  • Manually run a vulnerability integration
  • Manual ingestion of vulnerabilities
  • Ingest vulnerabilities manually
  • Verify manual integration run
  • Configure auto-close manual detections
  • Verify upload status
  • Template for manual ingestion of vulnerabilities
  • Remediate
  • Verify successful completion of Vulnerability Response integration imports
  • View Vulnerability Response vulnerable item detection data
  • Verify Vulnerability Response vulnerable item detection data on integration run (VINTRUN) records
  • Viewing patch data and scheduling patches in Vulnerability Response
  • Patch data and state rollup for patch orchestration in Vulnerability Response
  • View patches without solutions in Vulnerability Response
  • Viewing patch orchestration data on the Vulnerability Response dashboards
  • View a solution
  • Create a vulnerability solution
  • Manually exclude solutions from third-party records or vice versa
  • Triage vulnerabilities automatically
  • Edit vulnerable items in bulk in Vulnerability Response
  • Ungrouped Vulnerability Response vulnerable items
  • View ungrouped Vulnerability Response vulnerable items
  • Manually add a vulnerable item to a remediation task
  • Remove assignments from vulnerable items and remediation tasks
  • Approve or reject an unassign request in Vulnerability Response
  • Automatic closing of vulnerable items and detections
  • Working with retired configuration items
  • Automatically close vulnerable items related to retired CIs
  • Closing stale detections in Vulnerability Response
  • Automatically close stale detections in Vulnerability Response
  • Create auto-close rules
  • Reclassify unclassed hardware
  • Manually create a remediation task in Vulnerability Response
  • Add users to the Vulnerability Response group
  • Manage individual vulnerable items manually
  • Create Vulnerability Response vulnerable items
  • Defer a vulnerable item
  • Request an extension for a deferred vulnerable item
  • Refresh Vulnerability Response vulnerable items
  • Identify and escalate security issues in third-party software
  • Identify and escalate security issues using NVD
  • Identify and escalate security issues using CWE
  • View the remediation target status of a Vulnerability Response vulnerable item
  • Working with unmatched CIs
  • View and reclassify unmatched configuration items
  • Reconcile unmatched discovered items
  • Reapply CI lookup rules on selected discovered items
  • Reapply CI Lookup Rules Enhancements
  • Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules
  • De-duplicating existing configuration items
  • Resolve remediation tasks
  • Defer a Remediation task
  • Request an extension for a deferred remediation task
  • Close a remediation task
  • Identifying duplicate vulnerable items from multiple scanners
  • Automatically resolve duplicate vulnerabilities
  • Create and edit a classification group
  • Create and edit a classification rule
  • Apply a rule to an existing vulnerability
  • Deactivate or delete a classification rule
  • Create an exclusion rule
  • Change Management tasks for Vulnerability Response
  • Create a change request from a remediation task
  • Associate a remediation task to an existing change request
  • Split a remediation task
  • State synchronization between change requests and remediation tasks
  • Assess your exposure to vulnerable software
  • Viewing assignment recommendations
  • Request assignment group recommendations for a vulnerable item
  • Request assignment group recommendations for multiple vulnerable items
  • Request assignment group recommendations for a remediation task
  • Requesting and approving an exception
  • Request an exception for a vulnerable item
  • Request an exception for a remediation task
  • Request a bulk exception
  • Request an exception using GRC: Policy and Compliance Management
  • Request a bulk exception using GRC: Policy and Compliance Management
  • Approve or reject an exception request in Vulnerability Response
  • Working with an exception rule
  • Create an exception rule
  • Approve an exception rule request
  • Activating an exception rule
  • Request an extension for an exception rule
  • Reopen an exception rule
  • Update an approved exception rule
  • Delete an exception rule
  • Marking and approving a false positive
  • Mark as a false positive
  • Bulk edit for false positive
  • Approve or reject a false positive
  • Analytics and reporting
  • Using the default Vulnerability Response dashboards
  • Platform Analytics Solutions for Vulnerability Management
  • Vulnerability Management CISO dashboard
  • Configure the Scan Coverage reports
  • Configure the PA indicators for the CISO Dashboard
  • SecOps Vulnerability Response Health dashboard
  • Modifying the threshold values
  • Vulnerability Management (PA) dashboard
  • View Performance Analytics for Vulnerability Response [PA] reports in real-time
  • View the Performance Analytics indicators for Vulnerability Response [PA]
  • Aggregated reports framework
  • Configure an aggregation for source data
  • Run multiple aggregations simultaneously
  • Configure the number of aggregations that can run simultaneously
  • Create a report using an aggregation
  • Reference
  • Implementation checklist for the Vulnerability Response application
  • Vulnerability Response remediation task states
  • Detections, remediation tasks, and vulnerable item states
  • Remediation tasks and vulnerable item states
  • State roll-up and roll-down scenarios
  • Remediation task state for Vulnerable Items (VITs) in multiple groups
  • Additional settings for domain separation
  • Discovered Items form fields
  • Vulnerability Response vulnerability form fields
  • Remediation target rule fields
  • Remediation task form fields
  • Questionnaire Configuration form fields
  • Vulnerability Response vulnerable item form fields
  • Solution form fields
  • Approval workflow configurations for unassign request
  • Vulnerability Response remediation task rule examples
  • Risk score calculation example for Vulnerability Response
  • Error handling for detections
  • Mobile experience
  • Set up checklist for the Vulnerability Response Mobile app
  • Log in to the Vulnerability Response Mobile app
  • View, assign, and edit remediation tasks with the Vulnerability Response Mobile app
  • View, reassign, and edit remediation tasks assigned to you with the Vulnerability Response Mobile app
  • Search for remediation tasks with the Vulnerability Response Mobile app
  • Filter records with the Vulnerability Response Mobile app
  • Vulnerability Response Orchestration
  • Scan vulnerability workflow
  • Scan vulnerability item workflow
  • Variables for Create Scan Record for Vulnerabilities activity
  • Application Vulnerability Response
  • Explore
  • Configure
  • Configure Application Vulnerability Response
  • Verify that the scheduled job for updating CWE records is running
  • Verify that the scheduled job for updating NVD records is running
  • Install
  • Define Application Vulnerability Response email notifications
  • Create or edit remediation target notifications in Application Vulnerability Response
  • Exception Management in Application Vulnerability Response
  • Configure Exception Management for Application Vulnerability Response
  • Configure approval rules for Exception Management
  • Deferring remediation in Application Vulnerability Response
  • Add an exception approver for Application Vulnerability Response
  • Requesting and approving an exception in Application Vulnerability Response
  • Request an exception for an application vulnerable item
  • Request an exception for application vulnerabilities using GRC: Policy and Compliance Management
  • Request an exception for an application remediation task
  • Approve exception rules and exception rule extension requests in Application Vulnerability Response
  • Define policy reason mapping
  • Request an extension for an exception rule in Application Vulnerability Response
  • Request an extension for a deferred remediation task in Application Vulnerability Response
  • Request an extension for a deferred application vulnerable item in Application Vulnerability Response
  • Create, delete, and cancel an exception rule for Application Vulnerability Response
  • Application Vulnerability Response remediation tasks and task rules overview
  • Create, edit, and delete Application Vulnerability Response remediation task rules
  • Create an application remediation task manually in Application Vulnerability Response
  • Create auto-close rules
  • Configure penetration testing
  • Configure sprints for penetration testing
  • Configure assessment types for penetration testing
  • Integrate
  • Vulnerability Response Integration with Black Duck
  • Prepare pre-integration tasks for Vulnerability Response Integration with Black Duck
  • Install the ServiceNow Vulnerability Response Integration with Black Duck
  • Configure the Vulnerability Response Integration with Black Duck
  • View the Vulnerability Response Integration with Black Duck import run status
  • Data transformation for the Vulnerability Response Integration with Black Duck
  • Import the project information from the Black Duck integration instance
  • Import Vulnerability Response Integration with Black Duck project versions to the Discovered Applications table
  • Import the application vulnerable items from the Vulnerability Response Integration with Black Duck
  • Set the import times for the Vulnerability Response Integration with Black Duck
  • Include Closed Black Duck application vulnerable items
  • Fortify Vulnerability Integration
  • Preparing for the Fortify Vulnerability Integration
  • Install the ServiceNow Vulnerability Response Integration with Fortify
  • Configure the Fortify Vulnerability Integration
  • View the Fortify Vulnerability Integration import run status
  • Fortify Vulnerability Integration modification and activities
  • Perform a manual Fortify application vulnerability import
  • Import data using the Fortify Vulnerability Integration
  • Include Closed Fortify on Demand application vulnerable items
  • GitHub Application Vulnerability Integration
  • Setup tasks
  • Creating OAuth 2.0 credentials for GitHub Apps - JWT for the GitHub Application Vulnerability Integration
  • Install
  • Configure
  • View import run status
  • View import sets
  • Field mapping
  • Invicti Vulnerability Integration
  • Prepare for the Invicti Vulnerability Integration
  • Install the ServiceNow Vulnerability Response Integration with Invicti
  • Configure the Invicti Vulnerability Integration
  • Viewing the Invicti Vulnerability Integration import run status and records
  • Invicti Vulnerability Integration state mapping
  • Tenable Web Application Scanning Vulnerability Response Integration
  • Configure Tenable Web Application Scanning Vulnerability Response Integration using Setup Assistant
  • Import Applications Data from Tenable Web Application Scanning Vulnerability Response Integration
  • Import Vulnerabilities Data from Tenable Web Application Scanning Vulnerability Response Integration
  • Veracode Vulnerability Integration
  • Preparing for the Veracode Vulnerability Integration
  • Install the ServiceNow Vulnerability Response Integration with Veracode
  • Configure the Veracode Vulnerability Integration
  • View the Veracode Application Vulnerability Integration import run status
  • View Veracode scan summaries
  • Data transformation for the Veracode Vulnerability Integration
  • Veracode Vulnerability Integration modifications and activities
  • Wiz Application Vulnerability Response Integration
  • Manual ingestion of vulnerabilities for Application Vulnerability Response
  • Upload application vulnerabilities using a template file
  • Verify integration run
  • Verify upload status
  • Remediate
  • View vulnerability libraries
  • Application Vulnerability fields
  • Identify applications in Application Vulnerability Response automatically
  • Create a CI lookup rule
  • Reapplying CI Lookup rules in Application Vulnerability Response
  • Prevent duplicate or orphaned records after running Application Vulnerability Response CI lookup rules
  • Assign application vulnerable items in Application Vulnerability Response automatically
  • Create or edit Application Vulnerability Response assignment rules
  • Removing assignments from Application Vulnerability Response vulnerable items and remediation tasks
  • Calculate risk in Application Vulnerability Response automatically
  • Define fields and weights for the risk rule
  • Create an application vulnerability calculator
  • Map the severity of an application vulnerable item automatically
  • Filtering within Application Vulnerability Management
  • Automate remediation target tracking in Application Vulnerability Response
  • Create or edit application remediation target rules
  • View the remediation target status of an application vulnerable item
  • Close a remediation task
  • Change Management for Application Vulnerability Response
  • Create a change request for Application Remediation task
  • Associate a remediation task to an existing change request
  • Penetration testing
  • Create a penetration test assessment request from existing requests (v19.0)
  • Create a penetration test assessment request (prior to v19.0)
  • Replicate a penetration test request in closed state
  • Create penetration test findings based on assessment requests (prior to v19.0)
  • Create an application vulnerability entry
  • Penetration testing workspace
  • Create a new penetration testing assessment request
  • Create penetration test findings based on an assessment questionnaire
  • Publish the assessment questionnaire
  • Use an assessment questionnaire
  • Penetration Testing Dashboard
  • Penetration Dashboard components
  • Analytics and reporting
  • Application Vulnerability Management (PA) dashboard
  • My Application Vulnerabilities dashboard
  • Aggregated reports framework for Application Vulnerability Response
  • Reference
  • Application Vulnerability Response user groups and roles
  • Components installed with Application Vulnerability Response
  • Application Vulnerable Item (AVI) states
  • Application Vulnerability Response remediation task rule examples
  • Scanned application fields
  • Application Vulnerable Item fields
  • Penetration testing states
  • Managing state mapping for deferrals and false positives in Application Vulnerability Response
  • Application Vulnerability Response references
  • Exception rule example for Application Vulnerability Response
  • Application Vulnerability Response product view
  • Container Vulnerability Response
  • Explore
  • Container Vulnerability Response remediation task and container vulnerable item states
  • Configure
  • Install
  • Configuring granularity keys
  • Configure granularity keys
  • Define Container Vulnerability Response email notifications
  • Create or edit remediation target notifications
  • Configure Exception Management for Container Vulnerability Response
  • Configure approval rules for Exception Management
  • Quick start tests for Container Vulnerability Response
  • Run the Automated Test Framework (ATF) test suite for Container Vulnerability Response
  • Integrate
  • AWS Security Exposure Management Container Vulnerability Integrations
  • Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute integration
  • Preparing for the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute
  • Install the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute
  • Configure the Vulnerability Response Integration with Palo Alto Networks Prisma Cloud Compute application
  • Wiz Container Vulnerability Integration
  • Remediate
  • Container Vulnerability Response calculator rules
  • Container Vulnerability Response assignment rules
  • Container Vulnerability Response remediation target rules
  • Exception management in Container Vulnerability Response
  • Requesting and approving an exception in Container Vulnerability Response
  • Request an exception for a container vulnerable item
  • Request an exception for a container remediation task
  • Request an exception for container vulnerabilities using GRC: Policy and Compliance Management
  • Define a policy reason mapping
  • Approve an exception request in Container Vulnerability Response
  • Defer a container vulnerable item in Container Vulnerability Response
  • Request an extension for a deferred container vulnerable item
  • Working with an exception rule in Container Vulnerability Response
  • Create an exception rule in Container Vulnerability Response
  • Approve an exception rule request in Container Vulnerability Response
  • Activating an exception rule in Container Vulnerability Response
  • Reopen an exception rule in Container Vulnerability Response
  • Update an approved exception rule in Container Vulnerability Response
  • Delete an exception rule in Container Vulnerability Response
  • Request an extension for a deferred remediation task in Container Vulnerability Response
  • Request an extension for an exception rule in Container Vulnerability Response
  • Marking and approving a false positive container vulnerability item
  • Mark as a false positive in Container Vulnerability Response
  • Approve a false positive
  • Container Vulnerability Response remediation tasks and task rules overview
  • Create, edit, and delete Container Vulnerability Response remediation task rules
  • Create auto-close rules for Container Vulnerability Response
  • Removing assignments from container vulnerable items and remediation tasks
  • Close a remediation task
  • IT Operations Management and pattern discovery
  • Analytics and reporting
  • Container Vulnerability Response dashboard
  • Aggregated reports framework for Container Vulnerability Response
  • Reference
  • Components installed with Container Vulnerability Response
  • Container Vulnerability Response glossary
  • Container Vulnerable Item form fields
  • Prisma Cloud Compute Configuration form
  • Request Exception form
  • Exception Rule form
  • Domain separation and Container Vulnerability Response
  • Configuration Compliance
  • Explore
  • Data Import
  • Discovery
  • Correlation
  • Discovery Items
  • Managing CI
  • Reconciling unmatched items
  • Reapply CI lookup rules
  • Tenable Vulnerability Integration
  • CI lookup rules
  • Deduplicating CIs
  • Creating CIs using IRE
  • Assignment rules
  • Removing assignments
  • Remediation task and rules
  • Calculator groups and calculators
  • Exception management
  • Change management
  • Configure
  • Install
  • Assignment rules
  • Remediation target rules
  • Calculator groups
  • Creating Calculator group
  • Calculator rules
  • Defining field and weight
  • Editing risk rollup calculator
  • Manage risk calculators
  • Risk score calculation examples
  • Creating remediation task rules
  • Set duration for remediation task exceptions
  • Configure exception management
  • Adding exception approver
  • Creating criticality map
  • Creating email notification
  • Configure exception approvals
  • Configure approval rule
  • Configure approval levels
  • Workflow Vs Flow designer
  • Integrate
  • AWS Security Exposure Management Test results integration
  • Palo Alto Prisma Cloud
  • Pre-Installation checklist
  • Install
  • Configure
  • Verify import run status
  • Data mapping
  • REST messages
  • Qualys
  • Configure PCRS
  • Components installed with the Qualys Integration for Security Operations
  • Update CIs with network partition
  • Set Import Filters
  • Configure Test Result Granularity
  • Resolve integration issues
  • Fix Missing Attachments
  • Modify transform maps
  • Check XML attachment size
  • Data retrieval limitations
  • Fix KB integration
  • Integration run status chart
  • REST messages
  • Qualys API field mappings
  • Tenable Vulnerability Integration
  • Tenable.io integrations with the Vulnerability Response and Configuration Compliance applications
  • Tenable.sc integrations with the Vulnerability Response application
  • Tenable.cs
  • Prepare
  • Install
  • Use
  • Data retrieval settings
  • REST messages
  • Data transformation
  • Set import filters
  • Reporting
  • Integration run status
  • Initiate Rescan – Tenable.sc
  • Initiate Rescan – Tenable.io
  • Network partition update
  • Modify import settings
  • Split Tenable detections
  • Configure Test Result Granularity
  • Initiate Rescan – Tenable.sc
  • Initiate Rescan – Tenable.io
  • Network partition update
  • Modify import settings
  • Split Tenable detections
  • Configure Test Result Granularity
  • Compliance test uniqueness key
  • Configure compliance test uniqueness key
  • Explore Wiz Test Results and Issues
  • Remediation
  • Manually create a Configuration Compliance remediation task
  • Manually create a Configuration Compliance remediation task from the Test Results list
  • Create a change request in Configuration Compliance
  • Associate a remediation task to an existing change request
  • Split a remediation task
  • Remove assignments from remediation tasks for you or your groups
  • Approve an unassign request in Configuration Compliance
  • Automatic closing of test results
  • Working with retired configuration items in Configuration Compliance
  • Automatically close test results related to retired CIs
  • Automatically closing stale test results in Configuration Compliance
  • Use Auto-Close Stale Test Results in Configuration Compliance
  • Close a remediation task
  • Requesting and approving an exception for a remediation task
  • Request an exception for a remediation task in Configuration Compliance
  • Request an extension for an exception rule in Configuration Compliance
  • Request an exception for remediation tasks using GRC: Policy and Compliance Management
  • Approve an exception request in Configuration Compliance
  • Define policy reason mappings
  • Analytics and reporting
  • Reporting overview
  • Dashboard
  • Activate performance analytics
  • View dashboard
  • Aggregated reports framework
  • Reference
  • Components installed
  • Test groups
  • Authoritative Sources
  • View technologies
  • View tests
  • View test results
  • View remediation task
  • State transition
  • State synchronization
  • Domain separation
  • Criticality maps
  • States, precedence, examples
  • Resolve import issues
  • Modify PC results start date
  • CI lookup rules
  • Vulnerability Response Workspaces
  • Vulnerability Response workspaces overview
  • Patch orchestration with the Vulnerability Response Workspaces
  • Vulnerability Response Workspaces and updates to remediation tasks and remediation task rules
  • Configure
  • Vulnerability Manager Workspace
  • Explore
  • Home page in the Vulnerability Manager Workspace
  • Watch Topics page in the Vulnerability Manager Workspace
  • Related items list and visualizations in a watch topic
  • Remediation efforts in the Vulnerability Manager Workspace
  • Life cycles of remediation efforts, remediation tasks, and records in the Vulnerability Response Workspaces
  • Dashboards page in the Vulnerability Manager Workspace
  • List page in the Vulnerability Manager Workspace
  • Bulk edit in the Vulnerability Manager Workspace
  • Understanding compensating controls for risk reduction
  • Analytics and reporting solutions for the Unified Vulnerability Response Dashboard
  • Unified Vulnerability Response Dashboard
  • Monitor and manage vulnerable items and test results
  • Open search results in Vulnerability Manager Workspace
  • Create and apply filters the summary of active records (VITs, AVITs, CVITs and CTRs)
  • Use watch topics in the Vulnerability Manager Workspace
  • Create a watch topic in the Vulnerability Manager Workspace
  • Edit or delete a watch topic in the Vulnerability Manager Workspace
  • Deactivate or activate a watch topic
  • Use Remediation Effort records
  • Create a remediation effort in the Vulnerability Manager Workspace
  • Create a remediation task on-demand from Remediation Effort in the Vulnerability Manager Workspace
  • Create a recurring remediation effort in the Vulnerability Manager Workspace
  • Transfer records to remediation efforts in the Vulnerability Manager Workspace
  • Add a compensating control to the library
  • Associate compensating controls with CVEs or TPEs for risk reduction requests
  • Disable or enable risk reduction for a CVE or TPE
  • Rescan records and remediation tasks in the Vulnerability Manager Workspace
  • Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace
  • Direct Deferral of Vulnerable Items (VITs) by Exception Rules Without Remediation Task Creation
  • Use the List view in the Vulnerability Manager Workspace
  • Create a customized list of records
  • Create a remediation task manually in the Vulnerability Manager Workspace
  • Enable or disable the import of test results for a Qualys test group
  • Modify the severity for a CVE or TPE
  • Approve or reject requests in the Vulnerability Manager Workspace
  • Set up email notifications in the Vulnerability Response Workspaces
  • Remediate
  • Using bulk edit in the Vulnerability Manager Workspace
  • Update the state of records in bulk in the Vulnerability Manager Workspace
  • Bulk edit host vulnerable items with patches and solutions
  • Assign records to an assignment group in bulk
  • Remove assignments for host vulnerable items in bulk
  • Request bulk exception in the Vulnerability Manager Workspace
  • Bulk edit for false positive in the Vulnerability Manager Workspace
  • Close records in bulk in the Vulnerability Manager Workspace
  • Request exceptions for remediation tasks and records in the Vulnerability Manager Workspace
  • Request an extension for a deferred vulnerable item in the Vulnerability Manager workspace
  • Vulnerability Manager Workspace reference information
  • Create Watch Topic form fields
  • GRC request exception form fields
  • Generate remediation digest form fields
  • Impact of the compensating controls on risk score and expiration date
  • Examples for remediation task creation in the Vulnerability Manager Workspace and IT Remediation Workspace
  • Re-evaluating the exceptions for selected records in the Vulnerability Manager Workspace
  • IT Remediation Workspace
  • Explore
  • View a workflow example in the IT Remediation Workspace
  • Home page in the IT Remediation Workspace
  • Dashboards page in the IT Remediation Workspace
  • List page in the IT Remediation Workspace
  • Use
  • Open search results in IT Remediation Workspace
  • Use the email digest in the Vulnerability Response Workspaces
  • Create a list in the IT Remediation Workspace
  • Use records in the IT Remediation Workspace
  • Create a remediation task manually in the IT Remediation Workspace
  • Use remediation task records in the IT Remediation Workspace
  • Assign a remediation task or record to yourself in the IT Remediation Workspace
  • View configuration items with vulnerabilities in the IT Remediation Workspace
  • Create a change request in the IT Remediation Workspace
  • Split a remediation task in the IT Remediation Workspace
  • Request a false positive for a vulnerable item or remediate task
  • Request a false positive for a set of test results
  • Request an exception in the IT Remediation Workspace
  • Request an exception using GRC: Policy and Compliance Management in the IT Remediation Workspace
  • Request risk reduction for a vulnerable item or remediation task
  • Rescan vulnerable items and remediation tasks in the IT Remediation Workspace
  • Rescan Qualys vulnerable items from the Vulnerability Response workspaces
  • Rescan Rapid7 vulnerable items from the Vulnerability Response workspaces
  • Rescan Tenable.io and Tenable.sc vulnerable items from the Vulnerability Response workspaces
  • Reference
  • Create change request form fields
  • Request exception form fields for policy exceptions
  • Request exception form for risk reduction
  • Explore the Vulnerability Assessment Workspace
  • Explore
  • Exposure assessment by CVE
  • Add CVEs to assess exposure
  • Create VIs for CVEs for exposure assessment
  • Activate or deactivate CVEs for exposure assessment
  • Export impacted CIs for exposure assessment
  • Confidence score calculation example
  • View vulnerable software details
  • Confidence score reference tables for exposure assessment
  • Exposure assessment by software
  • Add software for exposure assessment
  • Create VIs for software for exposure assessment
  • Activate or deactivate software for exposure assessment
  • Export impacted CIs for software in the Vulnerability Assessment workspace
  • Exposure assessment by publisher software
  • Add software by a publisher for exposure assessment
  • Create VIs for software by a publisher for exposure assessment
  • Activate or deactivate software by a publisher for exposure assessment
  • Export impacted CIs for software by a publisher in the Vulnerability Assessment workspace
  • Explore
  • Create a vulnerability assessment record
  • Update the vulnerability assessment auto-flush record
  • Modify the vulnerability assessment record
  • Perform an assessment
  • Assessment tab
  • Overview tab
  • Assign a priority and exposure level to the vulnerability assessment record
  • Add affected CIs to the assessment record
  • Create vulnerable items for the affected CI or affected software component
  • Link the vulnerability assessment record to major security incident in Major Security Incident Management
  • Software Bill of Materials
  • Explore
  • Supported applications
  • Configure
  • Install supported applications
  • Configuring the Deps.dev, OSV.dev, and PaCE integrations
  • Use
  • Uploading files using a REST API
  • Upload files manually
  • Uploading DevOps SBOM files
  • Classifying licenses and resolving component licenses
  • Classify imported licenses
  • Resolve licenses to components
  • Reviewing reports and dashboards
  • Review the Home page in the workspace
  • Reviewing the Components module
  • Creating rules for application vulnerable items
  • View SBOM upload status
  • Checking an SBOM entity for vulnerabilities
  • Components installed with Software Bill of Materials applications
  • Create an application vulnerable item rule in the workspace
  • Enterprise security case management applications
  • Security Incident Response
  • Understanding Security Incident Response
  • Domain separation and Security Incident Response
  • Security Incident Response setup
  • Install and configure Security Incident Response
  • Download and install the Security Analyst Workspace
  • Components installed with Security Incident Response
  • Other additional Security Incident Response setup tasks
  • Setup Assistant reference
  • Configure the Security Analyst Workspace
  • Set up primary and secondary filters for Security Analyst Workspace
  • Security Analyst Workspace properties
  • Additional Security Analyst Workspace configuration
  • Landing page filter configuration
  • Enable UI Actions
  • Form UI actions
  • Related List configuration
  • Related List UI Actions
  • Form configuration system properties
  • Enable playbooks for analyst selection
  • Troubleshooting Security Incident Response
  • Security Incident Response Platform Analytics Solutions
  • CISO dashboard
  • Security Incident Management Premium dashboard
  • Security Incident Management dashboard
  • Security Incident Explorer dashboard
  • Security Operations Efficiency dashboard
  • Security Incident Response Workspace
  • Explore
  • SIR Workspace plugins
  • SIR Workspace features
  • SIR Workspace interface overview
  • Upcoming section
  • View upcoming tasks
  • Quick links section
  • Working with quick links
  • Shift Handover Records section
  • List view in SIR Workspace
  • Personalize a list
  • Apply quick filters on Security Incidents and Response Tasks lists
  • Assign Security Incidents
  • Close multiple security incidents
  • Assign Response Tasks
  • Report Phish Email
  • Working with quick filters
  • Add or modify quick filters
  • Export Security Incidents or Response Tasks
  • Manage Shift Handover records
  • Configure
  • Set up view of SIR Records
  • Configure SI design time investigation
  • Creating View for associated info tables
  • Adding an entry point list
  • Mapping View of the Associate Info to the entry point list
  • Configure each associated list
  • SIR Workspace Related Records
  • Define the new Risk Score Calculator Rules
  • Risk Score Calculator for Additional Related Tables
  • Configure Shift Handover
  • Configure Shift Handover Templates
  • Create shifts through Security Incident Response Workspace
  • Security Incident Response conference call integration
  • Manage Conference Call users and groups
  • Integrate SIR with third-party communication channels
  • Configure report templates in Security Incident Response
  • Create a Report Template in Security Incident Response
  • System properties for reports
  • Duplicate a report template in Security Incident Response
  • Edit a report template in Security Incident Response
  • On-Call scheduling in Security Incident Response
  • Category management in Security Incident Response
  • Create a security incident category
  • Create a security incident subcategory
  • View and update Security Incident Response system properties
  • Configure default landing tab for security analysts
  • Configure auto refresh interval for security incident lists
  • Configure default view for contextual menu
  • Create quick filters for Security Incidents and Response Tasks lists
  • Timeline in Security Incident Response Workspace
  • Configure timeline event configurations
  • Use
  • Working with Security Incident Records
  • Security Incident Overview section
  • Security Incident Details section
  • Security incident Details tab
  • SIR Workspace Orchestration
  • Investigation Canvas
  • Explore Investigation Canvas
  • Unified experience framework
  • Capabilities and modal screens
  • Examples
  • Example 1: Run Threat Lookup
  • Select implementations
  • Example 2: Run Sighting Search
  • Example 3: Run Additional Actions
  • Security Incident Response Tasks
  • Create a Response Task
  • Security Incident Response Other Records
  • Security Incident Response Post Incident Review
  • Update information in security incident related records
  • TISC integration within SIR Workspace
  • Send data from SIR Workspace to TISC
  • System properties to send data
  • Add security incident to TISC case
  • Add observables to TISC Case
  • Send Observables to TISC
  • Send Threat Lookup to TISC
  • Send Sighting Search to TISC
  • Send Observable Enrichment to TISC
  • Working with TISC Context
  • Add observables to TISC Case
  • View related info from TISC
  • View Enrichment Results
  • Reports in Security Incident Response
  • Create a report
  • Edit a report
  • Delete a report
  • Collaborate using conference call or chat in Security Incident Response
  • Start a conference call in Security Incident Response
  • Add participants to active Conference Call
  • Start a Sidebar chat in Security Incident Response
  • Viewing incident details with a relationship graph
  • Customize a relationship graph
  • Create a relationship graph for an incident
  • MITRE attack and defend technique graph
  • View and filter the incident timeline
  • Security Incident Playbook
  • Prerequisites for the Playbooks
  • Rebuilding existing playbooks in Workflow Studio
  • Activity Definitions
  • Example Activity Definition: Send email
  • Create an Activity Action
  • Submit to CSF X Sandbox
  • Sample Playbooks for SIR Workspace
  • Working with MSI Records
  • Propose as Major Security Incident
  • Promote to Major Security Incident
  • Link to Major Security Incident
  • Working with Form UI actions
  • Security Incident Closure workflow
  • Handle security incidents using AWA
  • View SIR Workspace Dashboards
  • View Security Analyst Overview dashboard
  • View Security Incident Explorer dashboard
  • View Security Incident Management dashboard
  • View Security Operations Efficiency dashboard
  • View Security Incident Response Premium KPIs dashboard
  • View Context Sensitive Analytics - SI dashboard
  • View CISO dashboard
  • View CISO Reporting Overview dashboard
  • View Security Incident Manager Overview dashboard
  • View Security Incident Response Health dashboard
  • Security incident creation
  • Security incident manual creation
  • Create from Security Incident list
  • Create from Security Incident Catalog
  • Create from Event Management alert
  • Security incident automatic creation
  • Security incidents created from events and alerts
  • Data imported into security alerts
  • Create security incidents from User Reported Phishing emails
  • Record creation from security incidents
  • Create a change, incident, or problem
  • Create a Customer Service case
  • Add a security incident to a security case
  • Create response tasks
  • Manage Predictive Intelligence for User Reported Phishing
  • Predictive Intelligence for User Reported Phishing
  • Required components and plugins
  • Final verdict generation for User Reported Phishing
  • Troubleshooting
  • Configure Predictive Intelligence for User Reported Phishing
  • Assigning security analysts
  • Process Mining Workspace for Security Incident Response
  • Create process mining project for security incidents
  • Process Mining use cases for security incidents
  • Advanced Work Assignment for SIR
  • Configure AWA for SIR Workspace
  • Managing security incidents and inbound requests
  • Create an inbound request
  • Manage observables
  • Show IoC information for a security incident
  • Create a security incident observable
  • Manage file observables
  • Edit a security incident observable list
  • Add multiple security incident observables
  • Automatic security incident observable log data enrichment
  • Publish observables to a third-party watchlist
  • Manage lookups and scans
  • Submit an IoC Lookup request from a security incident
  • Submit an IoC Lookup request from the Security Incident Catalog
  • Submit scan request from security incident
  • Submit scan request from SIR catalog
  • Define new on-demand orchestrations
  • Register new Security Operations applications
  • Add information to a security incident
  • Add problems, changes, and incidents
  • Invoke a process dump for an enriched process in Windows
  • View information in a security incident
  • Parent and child security incident relationships
  • View affected items for a security incident
  • Add unmatched affected user for security incidents
  • View related items for a security incident
  • View enrichment data for a security incident
  • View response task information for a security incident
  • View related events and alerts in security incidents
  • View security incident to customer service case mapping
  • View a Security Incident Response runbook
  • Identify affected configuration items
  • Calculate the severity of a security incident
  • Search for and delete phishing emails
  • Create a security incident knowledge article
  • Escalate a security incident
  • Manage post incident activities
  • Assign post incident review roles
  • Post incident review report
  • Manage Post Incident Review Report
  • Configure an assessment trigger condition
  • Assessment trigger conditions examples
  • Perform a questionnaire-based post incident review
  • Create post incident review questionnaire categories
  • Compose post incident review questions
  • Create post incident review assignment rules
  • Close security incidents
  • Add closure information to a security incident
  • Restrict access to security incidents
  • Manage security threats using the Security Analyst Workspace
  • Resolve security threats with the playbook
  • Sightings searches on phishing and malware attacks
  • Playbook Resources
  • Activate a Security Incident Response flow
  • Security Incident Response playbooks
  • Process-based Playbooks
  • Playbook for Manual Phishing
  • Create playbooks for Manual Phishing in Workflow Studio
  • Add parallel activities
  • Using the Manual Phishing playbook
  • Workspace Playbook summary
  • Playbook for Automated Phishing
  • Create processes for Automated Phishing in PAD
  • Using the Automated Phishing playbook
  • Playbook for Manual Malware
  • Create processes for Manual Malware in PAD
  • Using the Manual Malware playbook
  • Playbook for Automated Malware
  • Create processes Automated Malware in PAD
  • Using the Automated Malware playbook
  • Playbook for Failed Login Manual
  • Create processes for Failed Login Manual in PAD
  • Using the Failed Login Manual playbook
  • Flow-based Playbooks
  • Playbook for Automated Phishing
  • Run the automated phishing response playbook flow
  • View flow action designer
  • View subflow designer
  • Playbook for Automated Malware
  • Run the automated malware playbook flow
  • Playbook for Failed Login Manual
  • Playbook for Child Security Incident Automation
  • Playbook for Office 365 - Malicious File Detected
  • Set up the Office Malicous File Detected playbook
  • Use the Office 365 Malicious File Detected playbook
  • Playbook for Repeat Detection
  • Set up the Repeat Detection playbook
  • Use the Repeat Detection playbook
  • Playbook for Spoofed Emails (using the same Display name)
  • Set up the playbook
  • Use the playbook
  • Playbook for Endpoint Detection
  • Set up the Endpoint Detection playbook
  • Use the Endpoint Detection playbook
  • Playbook for Possible Password Spray
  • Set up the Possible Password Spray playbook
  • Use the Possible Password Spray playbook
  • Playbook for T1003 - Detect Credential Dumping Tools
  • Set up the T1003 - Detect Credential Dumping Tools playbook
  • Use the T1003 - Detect Credential Dumping Tools playbook
  • Playbook for Email Domain Spoofing Detection
  • Set up the Email Spoof Detection playbook
  • Use the Email Domain Spoofing Detection playbook
  • Playbook for Typo Squatted Domain
  • Set up the Typo Squatted Domain playbook
  • Use the Typo Squatted Domain playbook
  • Playbook for Credential Sniffing
  • Set up the Credential Sniffing playbook
  • Use the Credential Sniffing playbook
  • Playbook for T1070 - Windows Events Logs Cleared
  • Set up the T1070 - Windows Events Logs Cleared playbook
  • Use the T1070 - Windows Events Logs Cleared playbook
  • Playbook for OSquery of External Address in /etc/hosts file
  • Set up the playbook
  • Use the playbook
  • Playbook for User Deleting Bash History - Cloud
  • Set up the User Deleting Bash History playbook
  • Use the User Deleting Bash History playbook
  • Playbook for successful VPN attempts from service accounts
  • Set up the playbook
  • Use the playbook
  • Playbook for Attempted Access to Deactivated Accounts
  • Set up the Attempted Access Deactivated Account playbook
  • Use the Attempted Access to Deactivated Accounts playbook
  • Playbook for T1003 - Defense Evasion - Mimikatz DCShadow
  • Set up the playbook
  • Use the playbook
  • Playbook for T1003 - Credential Dumping - Mimikatz DCSync
  • Set up the playbook
  • Use the playbook
  • Playbook for Okta User Login Failures from Multiple IPs
  • Set up the playbook
  • Use the playbook
  • Playbook for ModSec Brute force by IP Burst
  • Set up the ModSec Brute force by IP Burst playbook
  • Use the ModSec Brute force by IP Burst playbook
  • Security Incident Response playbook actions
  • Visual representation of Security Incident Response reporting
  • Security Incident Response Overview dashboard
  • Access Security Incident Response Explorer
  • Security incident map
  • Add map to Security Incident Response overview
  • Modify security incident map
  • Security incident treemaps
  • Add treemaps to the Security Incident Response overview
  • Create or update a treemap category
  • Create or update a treemap indicator
  • Add vulnerability significance charts to an overview
  • Major Security Incident Management
  • Explore
  • Major Security Incident Management
  • Get started with MSIM
  • Checklist for MSIM setup
  • Major Security Incident Management roles
  • Integrate
  • Integrate Major Security Incident Management with Microsoft SharePoint
  • Register application at Azure portal
  • Use certificates for authentication
  • Configure Microsoft SharePoint with Major Security Incident Management
  • Integrate Major Security Incident Management with Microsoft Teams
  • Register a new application at Azure portal for Microsoft Teams connections
  • Configure Microsoft Teams connection with Major Security Incident Management
  • Establish MS Teams Graph connection on ServiceNow AI Platform
  • Using Certificates for authentication
  • Attach a Java Key Store certificate for MS Teams
  • Configure the JWT signing key for MS Teams
  • Configure the JWT provider for MS Teams
  • Establish a connection using certificates
  • Using Client Secret value
  • Establish a connection using client secret
  • Activate MS Teams chat connector
  • Major Security Incident Management Conference Call Integration
  • Start a conference call
  • Add participants to a conference call
  • Mute participants in a conference call
  • View conference call details
  • Integrate MSIM Conference Calls with Microsoft Teams
  • Use the MSIM Conference Call Microsoft Teams integration
  • Integrate MSIM Conference Calls with Zoom
  • Use the MSIM Conference Call Zoom integration
  • Integrate MSIM Conference Calls with Cisco Webex
  • Use the Conference Calls Cisco Webex integration
  • Configure
  • Configure File Explorer Component
  • Get Started with File Explorer
  • Configure File Explorer Repository Drive
  • Configure Folder and File Action Settings
  • Create Folder Templates
  • File Explorer Activity Stream in Workspace
  • File Explorer troubleshooting
  • Configure Microsoft Teams
  • Get started with Microsoft Teams
  • Activate MS Teams as a chat provider
  • Create a chat channel template
  • View Chat Message Activity
  • Microsoft Teams Chat Connector troubleshooting for MSIM
  • Configure Slack chat connector for major security incidents
  • Get started with Slack chat connector configuration
  • Create a chat channel template for Slack
  • Activate Slack as a channel provider
  • View chat message activities in Slack
  • Administer
  • MSIM workspace
  • Use
  • Propose, promote, and link incident records
  • Propose as a Major Security Incident
  • Promote to a Major Security Incident
  • Link to Major Security Incident
  • Using MSI List view in the MSIM workspace
  • View Major Security Incident impact metrics
  • View Major Security Incident trend charts
  • Update Major Security Incident details
  • Restrict access to certain major security incidents
  • Link additional records to Major Security Incident
  • Unlink records from Major Security Incident
  • Manage tasks in a Major Security Incident
  • Manage tasks using the Visual Task Board
  • Manage tasks using the List view
  • Track collaboration activity via MSIM workspace
  • Create and distribute MSIM Status Reports
  • Manage MSIM status reports
  • Configure Major Security Incident status reports
  • Create a Report Template
  • Add Branding to your Report Templates
  • Use Visualizations in Report Templates
  • Use Reports Lists in Report Templates
  • Use Template Scripts in your Report Templates
  • Preview the Report Template
  • Create a Report Section Template
  • Create a Report Subsection Template
  • Create Report Subsection Element template
  • Create a Free Form Type Element
  • Create a Visualization Type Element
  • Create a List Type Element
  • Create a Custom Type Element
  • Add system properties
  • MSIM Playbooks
  • Playbook for Legal Request
  • Create processes for Legal Request playbook
  • Using the Legal Request playbook
  • Rollup Framework for MSIM
  • Configure Linked Records in Major Security Incident Management
  • Configure Rollup Records in Major Security Incident Management
  • Configure List Layout in Major Security Incident Management
  • Rollup example use case implementation for a Security Case
  • Step 1. Create linked record configuration
  • Step 2. Create a view for modal window
  • Step 3. Create UI actions for Source Table
  • Step 4. Create view for Linked Record tab
  • Step 5. Add Access Control Lists
  • Step 6. Create business rules
  • Step 7. Create rollup record configurations
  • Perform on demand atomic rollup
  • Security Incident Response integrations
  • ArcSight ESM Event Ingestion integration
  • Set up instance
  • Set up Query Viewer
  • Configure
  • Use
  • Create a profile
  • Select correlation events
  • Map event fields
  • Create mappings for ArcSight ESM event ingestion integration
  • Preview security incident
  • Create a schedule
  • Automate event updates
  • Integration Settings
  • Troubleshoot
  • Copy profile
  • Format correlation event values
  • Subflow execution
  • Amazon Web Services (AWS) Security Hub integration
  • Explore
  • Register
  • Configure
  • Create profile
  • Map finding fields
  • Define filter and aggregation criteria
  • Schedule finding retrieval
  • Automate updates and closures
  • Preview findings
  • Carbon Black - Incident Enrichment integration
  • Configure
  • Carbon Black integration
  • Configure
  • Check Point Anti-bot - Email Parser integration
  • Configure
  • Check Point Next Generation Threat Prevention integration
  • Configure
  • Create API account
  • Set up integration
  • Activate
  • Working with block lists
  • Create block list
  • Activate block list
  • Configure block list
  • Submit entries from incident
  • Submit entries from Block List
  • Approve block list entries
  • Block list entry exceptions
  • Edit security tag name
  • Uninstall integration
  • CrowdStrike Falcon Host integration
  • Explore
  • Configure
  • CrowdStrike Falcon Insight integration
  • Explore
  • Generate client ID and secret key
  • Configure
  • Create an approval group
  • Create profile
  • Configure profile settings
  • Set trigger condition
  • Verify trigger conditions
  • Trigger profile manually
  • Create and configure a profile for the sighting search
  • Create indicators
  • Block Request Category List
  • Block List Entries
  • Allow List Entries
  • Trigger additional actions
  • Use
  • CrowdStrike Next-Gen SIEM integration
  • Explore
  • Install and configure
  • Create a detection profile
  • Set correlation rules
  • Map detection fields
  • Define filter and aggregation criteria
  • Schedule detection retrieval
  • Automate detection updates
  • CrowdStrike Falcon X Sandbox integration
  • Install and configure
  • Set up submission configurations
  • Submit observables to Sandbox
  • Automate submissions
  • Monitor submission results
  • Tag security incidents with the Sandbox submission status
  • Review global settings
  • Elasticsearch Incident Enrichment integration
  • Configure
  • FireEye Endpoint Security integration
  • Set up instance
  • Timestamp settings
  • Configure integration
  • FireEye Default Settings
  • create a profile
  • Explore
  • Configure profile
  • Verify the Trigger Condition Filters
  • Trigger a FireEye capability profile from Related Links
  • Trigger a capability profile
  • FireEye Get File Capability
  • FireEye Additional Actions on Endpoint
  • configure
  • Invoke Sighting Search from a Security Incident
  • Have I been pwned? integration
  • Have I been pwned? integration setup
  • Threat Lookup - Have I been pwned? flow
  • Activate
  • Update X.509 certificate
  • HPE Security ArcSight ESM - Email Parser integration
  • Configure
  • HPE ArcSight Logger - Incident Enrichment integration
  • Configure
  • Hybrid Analysis integration
  • Install and configure
  • Verify expected results
  • Attach observable
  • IBM QRadar Offense Ingestion Integration
  • Install and configure
  • Set up instance
  • Setup IBM QRadar profile
  • Create a profile
  • Select IBM QRadar rules
  • Map offense fields
  • Ingesting the sample IBM QRadar offenses
  • Map offense fields
  • Preview security incident
  • Define schedule
  • Automate offense updates
  • Configuration settings
  • Optional: Copy a IBM QRadar profile
  • Domain separation and IBM QRadar Offense Ingestion
  • Security Incident Response form after offense ingestion
  • Use
  • Troubleshoot
  • IBM QRadar - Incident Enrichment Integration
  • Configure
  • LogRhythm Overview
  • Set up REST API
  • Install and configure
  • Create an alarm profile
  • Mapping
  • Map LogRhythm alarm fields to security incident fields
  • Filter alarms for LogRhythm
  • Previewing the security incident with mapped LogRhythm alarm values
  • Schedule and retrieve LogRhythm alarms
  • Additional options for LogRhythm alarms
  • Additional configurations
  • Format field values
  • Copy alarm profile
  • Disable automated alarm
  • View drill down events
  • Troubleshoot
  • Verify connectivity
  • Script execution and system log
  • McAfee ePO integration
  • Explore
  • Checklist
  • Set up instance
  • Set up console
  • Install and configure
  • Edit security tags
  • Create an approval group
  • Capability profiles
  • Create a capability profile
  • Define triggering conditions
  • Configure settings
  • Configure the profile
  • Initiate malware scan
  • Trigger profile manually
  • Trigger additional actions
  • Use
  • Initiate malware scan
  • Test incidents and approve requests
  • Edit a tag
  • McAfee ESM - Email Parser integration
  • Configure
  • McAfee ESM - Incident Enrichment Integration
  • Configure
  • Microsoft Azure Sentinel integration
  • Explore
  • Register and configure
  • Install and configure
  • Create profile
  • Map incident fields
  • Set filter conditions
  • Schedule data retrieval
  • Automate incident updates
  • Copy profile
  • Review record
  • Review settings
  • Domain separation
  • Compare integrations
  • Microsoft Defender for Endpoint integration
  • Register and configure
  • Explore
  • Install and configure
  • Additional configuration settings
  • Map Observable type
  • Create capability profile
  • Trigger conditions
  • Configure a profile
  • Verify trigger condition filters
  • Trigger capability profile from related links
  • Trigger capability profile from configuration item related list
  • Additional Configurations
  • Configure Isolate Host capability
  • Configure Remove Host Isolation capability
  • Configure Run Antivirus Scan capability
  • Configure Restrict App Execution capability
  • Configure Remove App Restriction capability
  • Configure Get Related Machines from Defender capability
  • Configure Stop and Quarantine File capability
  • Create and configure profile
  • Perform manual sighting search
  • Perform automatic observable enrichment
  • Perform manual observable enrichment
  • Create indicators
  • Update indicators
  • Domain separation
  • Configure rate limit
  • Microsoft Defender integration for Security Operations
  • Install and Configure
  • Create an incident profile
  • Map incident fields
  • Define filter and aggregation criteria
  • Schedule incident retrieval
  • Automate incident updates and closures
  • Microsoft Exchange Online integration
  • Set up account
  • Install
  • Configure
  • Define search criteria
  • Request delete email approval
  • Approve delete email requests
  • Recover deleted emails
  • Edit security tags
  • Microsoft Exchange On-Premises integration
  • Configure
  • Email Search and Deletion flow
  • Microsoft Graph Security API alert ingestion integration
  • Set up instance
  • Configure the Microsoft Azure portal
  • Install and configure
  • Create a profile
  • Identify source for the profile
  • Map alert fields
  • Ingest sample Microsoft Graph Security API alerts
  • Mapping alerts to security incident response fields
  • Preview incident
  • Define schedule
  • Automate alert updates
  • Modify system properties
  • Worknotes
  • Copy profile
  • Domain separation
  • Troubleshoot
  • Palo Alto Networks - AutoFocus integration
  • Configure
  • Get AutoFocus Session Info Enrichment Flow
  • Palo Alto Networks - Firewall integration
  • Set up SSH credentials
  • Activate and configure
  • Palo Alto Networks Firewall Launcher Workflow
  • Get Log Data Flow
  • Palo Alto Networks - WildFire integration
  • Configure
  • Get WildFire Data Enrichment Flow
  • Palo Alto Networks Next-Generation Firewall integration
  • Create certificate profile
  • Set up and install
  • Create the API account role for Palo Alto Networks Next-Generation Firewall
  • Supported external dynamic lists
  • Create an EDL
  • Activate an EDL for Palo Alto Networks Next-Generation Firewall
  • Activate an EDL manually
  • Configure an EDL
  • Activate EDL with a change request
  • Submit EDL entries from a security incident record for Palo Alto Networks Next-Generation Firewall
  • Submit EDL entries from the blocklist for Palo Alto Networks Next-Generation Firewall
  • Approve EDL entries for Palo Alto Networks Next-Generation Firewall
  • EDL entry exceptions for Palo Alto Networks Next-Generation Firewall
  • (Optional) Edit the security tag name for Palo Alto Networks Next-Generation Firewall
  • Uninstall
  • PhishTank integration
  • Install and configure PhishTank
  • Verify expected results for PhishTank
  • (Optional) Manually attach an observable for PhishTank
  • Proofpoint Integration for Security Operations
  • Explore
  • Configure
  • Install and configure
  • Create a profile
  • Review Proofpoint integration settings
  • View the Proofpoint Analytics Dashboard
  • Reverse Whois integration
  • Install and configure Reverse Whois
  • (Optional) Install and configure Whois
  • Initiate the lookup for Reverse Whois
  • Verify expected results for Reverse Whois
  • Enrichment lookup
  • RISKIQ and WHOISIQ integration
  • Supported observables for RISKIQ and RISKIQ WHOISIQ
  • Install and configure RISKIQ and WHOISIQ
  • Verify expected results for RISKIQ SSL certificate lookups
  • SSL Certificate Lookup: Exact Match found
  • SSL Certificate Lookup: Multiple/None found
  • Verify expected results for WHOISIQ URL lookups
  • Create an observable for manual WHOISIQ lookups
  • Verify expected results for manual WHOISIQ lookups
  • Shodan integration
  • Install and configure Shodan
  • Verify expected results for Shodan
  • (Optional) Manually attach an observable for Shodan
  • Secureworks CTP Ticket Ingestion Integration
  • Setup instance
  • Install and configure
  • Create a profile
  • Identify the source of the profile
  • Mapping of ticket fields for the SecureWorks CTP integration
  • Ingesting the sample Secureworks tickets
  • Mapping
  • Preview the mapped values in the security incident
  • Define schedule for the Secureworks CTP Ticket ingestion
  • Automate ticket updates
  • Optional: Copy a Secureworks CTP profile
  • Post ingestion form updates
  • View Secureworks ticket
  • Secureworks CTP Master Ticket Closure Notice
  • Configuration settings
  • Security Incident Response Integration with Cortex XSIAM by Palo Alto Networks
  • Install and Configure
  • Create an incident profile
  • Set Alert Sources
  • Map incident fields
  • Define filter and aggregation criteria
  • Schedule incident retrieval
  • Automate incident updates and closures
  • Security Incident Response integration with Zscaler
  • Get started
  • Configure access to APIs
  • Configure integration
  • Add Zscaler Internet Access URL category lists
  • Submit observables
  • Approve observables to URL category lists
  • Submit the security incident to the Zscaler URL category list
  • Run threat lookup
  • Submit to Zscaler Sandbox analysis
  • Set up email alerts for Patient 0 events
  • ServiceNow Security Operations add-on for Splunk overview
  • Setup Splunk environment
  • Configure Application Registry
  • Using Splunk add-on
  • Manual search commands
  • Splunk event actions
  • Single-record Splunk alerts
  • Multiple-record, custom field Splunk alerts
  • Create a multi-record, custom field Splunk alert
  • Multi-record, custom field Splunk alert examples
  • Splunk error reporting
  • Splunk Enterprise Event Ingestion integration for Security Operations by ServiceNow
  • Set up
  • Configure
  • Configure settings
  • Create an event profile
  • Select scheduled alerts
  • Map event fields
  • Map alerts
  • Preview security incident
  • Schedule and retrieve alerts
  • Integration architecture and external systems connection
  • Copy Splunk profiles
  • Copy an event profile
  • Set up Splunk environment
  • Use Splunk add-on
  • Save search in console
  • Format alert values
  • Checklist
  • Splunk Enterprise Security event ingestion integration
  • Glossary
  • Set up instance
  • Install and configure
  • Security settings
  • Authentication errors
  • Create an event profile
  • Set up a profile for scheduled notable event ingestion
  • Create a profile
  • Set Correlation rules
  • Explore Mapping
  • Map notable events
  • Preview security incident
  • Schedule and retrieve notable events
  • Automate notable event updates
  • Set up a profile for manual event forwarding
  • Create a profile
  • Map notable event fields
  • Set up Splunk environment
  • Forward events on-demand
  • Copy an event profile
  • Format alert values
  • Copy a Splunk ES profile
  • Checklist
  • Splunk - Incident Enrichment integration
  • Configure
  • Mobile Experience for Security Incident Response
  • Set up checklist
  • Log in to the Security Incident Response Mobile app
  • View, edit, and assign open security incidents
  • View, edit, and reassign security incidents
  • Update and assign unassigned security incidents
  • View, edit, and assign high priority incidents
  • Update high-risk security incidents
  • Search security incidents
  • View, edit, and assign open response tasks
  • View, edit, and reassign response tasks
  • Filter records
  • Security Incident Response Orchestration
  • Set up
  • Workflows and workflow template
  • Security Incident Response Orchestration workflows and activities
  • Create Lookup Request for IoC Changes workflow
  • Create IoC Lookup Request activity
  • Get Network Statistics flow
  • Get Running Services workflow
  • Determine Shell Script by OS activity
  • Get Running Services - WMI Enrichment
  • Run procdump flow
  • Execute procdump action
  • Security Incident - Evaluate response task outcome workflow
  • Security Incident Response workflow templates
  • Security Incident Confidential Data Exposure workflow template
  • Security Incident Denial of Service workflow template
  • Security Incident Lost Equipment workflow template
  • Security Incident Malicious Software workflow template
  • Security Incident Phishing workflow template
  • Security Incident Policy Violation workflow template
  • Security Incident Reconnaissance workflow template
  • Security Incident Rogue Server or Service workflow template
  • Security Incident Spam workflow template
  • Security Incident Unauthorized Access workflow template
  • Security Incident Web/BBS Defacement workflow template
  • SIR Integration References
  • Allow and Block Request List Entries
  • CrowdStrike Block Request Category List
  • Threat Intelligence
  • Understanding Threat Intelligence
  • Domain separation and Threat Intelligence
  • Set up Threat Intelligence
  • IoC Repository
  • Attack modes and methods
  • Define an attack mode/method
  • Add an IoC to an attack mode/method
  • Add a related attack mode method
  • Add associated task to an attack mode/method
  • Indicators of compromise
  • View an IoC
  • Add a related observable to an IoC
  • Add a related attack mode/method to an IoC
  • Identify associated indicator types
  • Identify indicator sources
  • Add associated tasks to an IoC
  • Observables
  • Define an observable
  • Add a related IoC to an observable
  • Add associated tasks to an observable
  • Add a related observable
  • Load more IoC data
  • Identify observable sources
  • Perform lookups on observables
  • Perform threat enrichment on observables
  • Attack patterns
  • Define an attack pattern
  • Campaigns
  • Define a campaign
  • Course of actions
  • Define a course of action
  • Identities
  • Define identities
  • Infrastructure
  • Define infrastructure
  • Intrusion set
  • Define an intrusion set
  • Locations
  • Define Location
  • Malware
  • Define a Malware
  • Malware analysis
  • Define malware analysis
  • Observed data
  • Define observed data
  • Threat actors
  • Define threat actors
  • Threat groupings
  • Define threat groupings
  • Marking definitions
  • Define marking definitions
  • Threat notes
  • Define threat notes
  • Threat opinions
  • Define threat opinions
  • Threat reports
  • Define threat reports
  • Sightings
  • Define indicator sightings
  • Define object sightings
  • Tools
  • Define tools
  • Vulnerabilities
  • Define vulnerabilities
  • Relationships
  • Define object-object relationships
  • Define object-indicator relationships
  • Define object-observable relationships
  • STIX Visualizer
  • MITRE-ATT&CK framework overview
  • MITRE-ATT&CK administration
  • Get started with MITRE-ATT&CK framework
  • Understand the MITRE to STIX data model
  • Domain separation and MITRE-ATT&CK
  • Set up the MITRE-ATT&CK framework
  • Manage matrices
  • Manage techniques
  • Manage mitigations
  • Manage groups
  • Manage malware
  • Manage tools
  • Manage MITRE relationships
  • Manage CVE and technique mapping
  • Extend the MITRE-ATT&CK data
  • Define the data source and detection tool mapping
  • Define the data source and data component mapping
  • Define the technique detection coverage
  • MITRE-ATT&CK Scoring definition
  • Map your technique detection coverage to a technique
  • Define the mitigation coverage
  • Technique mitigation coverage definitions
  • Map your mitigation coverage to a technique
  • Overall technique mitigation coverage calculator
  • Create and map detection rules
  • Auto-extract technique rules for importing MITRE-ATT&CK information
  • Review threat group and MITRE-ATT&CK techniques mapping
  • Threat group to technique heatmap definition
  • Review the MITRE-ATT&CK system properties
  • Using MITRE-ATT&CK to detect and analyze threats
  • Associate MITRE-ATT&CK information with security incidents
  • Associate MITRE-ATT&CK information with observables
  • Associate MITRE-ATT&CK information with security case
  • Rollup MITRE-ATT&CK information using Threat Lookup results
  • Rollup MITRE-ATT&CK information from detection rules
  • Rollup MITRE-ATT&CK information from child security incidents
  • Perform link analysis and threat hunting
  • MITRE-ATT&CK heat map and navigator
  • Using the MITRE-ATT&CK dashboard
  • MITRE D3FEND framework
  • Ingest MITRE D3FEND data
  • MITRE D3FEND tables
  • Threat Intelligence administration
  • Threat Lookup Finding Calculators
  • Using Threat Lookup Finding Calculators
  • Threat Intelligence integrations
  • CrowdStrike Falcon Intelligence integration
  • CrowdStrike Falcon Intelligence integration overview
  • Have I been pwned? integration
  • Have I been pwned? integration setup
  • Threat Lookup - Have I been pwned? flow
  • Activate
  • Update X.509 certificate
  • MISP integration for Security Operations
  • MISP administration
  • Getting started with MISP integration for Security Operations
  • MISP user roles and permissions
  • Install and configure the MISP integration for Security Operations
  • Review the MISP integration settings
  • Configure MISP sighting searches
  • Configure how an automatic event is created
  • MISP event data
  • Associated MISP events
  • MISP user information
  • Domain separation and MISP
  • Troubleshooting MISP integration
  • Using MISP to investigate and analyze threats
  • Sighting searches in MISP
  • Observable enrichment in MISP
  • Managing events in MISP
  • Roll up MITRE-ATT&CK information using MISP enrichment results
  • OPSWAT Metadefender Integration
  • OPSWAT Metadefender integration overview
  • VirusTotal integration
  • VirusTotal integration setup
  • Activate and configure the VirusTotal integration
  • Threat Lookup - VirusTotal workflow
  • WhoisXML API integration
  • WhoisXML API integration setup
  • Activate and configure the Security Operations Whois integration
  • Update your X.509 certificate
  • Enrich Observable WhoIs workflow
  • Threat Intelligence Orchestration
  • Set up Threat Intelligence Orchestration
  • Threat Intelligence Orchestration workflows and activities
  • Security Case Management
  • Create cases in Security Case Management
  • Add artifacts to a case
  • Associate MITRE-ATT&CK information with security case
  • Case creation from security artifacts
  • IoCs and observables in cases
  • Create a case from IoCs or observables
  • Add IoCs and observables to an existing case
  • Create an observable from a case
  • Run a sightings search on observables in a case
  • Security incidents in cases
  • Create a case from security incidents
  • Add security incidents to an existing case
  • Configuration items in cases
  • Create a case from CIs
  • Add CIs to existing cases
  • Affected users in cases
  • Create a case from affected users
  • Add affected users to existing cases
  • Security artifact analysis
  • Related details for case artifacts
  • View related details for a security incident artifact
  • View related details for a configuration item artifact
  • View related details for an IoC artifact
  • View related details for an affected user artifact
  • View related details for an observable artifact
  • Security artifact exclusion and inclusion
  • Exclude security artifacts from a case
  • Return excluded security artifacts to a case
  • Annotate security artifacts
  • Search for security artifacts
  • Security Posture Control
  • Explore
  • Install supported applications
  • Supported Service Graph Connectors
  • Policies
  • Included policies
  • Creating your own policies
  • Insights
  • Use the workspace
  • Activate a policy
  • Create and activate custom policies
  • Edit an activated policy in Security Posture Control
  • Clone and create child policies
  • Create and activate a configured insight
  • Create an asset profile
  • Delete a profile
  • Configuring and viewing findings
  • Test result and remediation task state transitions
  • Creating your own API connector
  • Enter connector metadata
  • Enter credentials
  • Select a template
  • Provide input values
  • Map API response to SPC attributes
  • Validate connector
  • Create an instance and set the import schedule
  • Create an asset search
  • Resolving duplicate configuration items
  • Resolve duplicate configuration items
  • Use mitigation controls
  • Mitigation controls policies
  • Policies for Exploit Protection (EDR)
  • Install CrowdStrike integrations
  • Install Microsoft integrations
  • Create multiple instances
  • Install SentinelOne integrations
  • Exploit protection (WAF)
  • Configure F5 BIG-IP integrations
  • Configure the AWS WAF integration
  • Create a policy for AWS WAF
  • View detected mitigations
  • Mapping mitigations
  • Reference
  • Assets without endpoint protection
  • Assets missed by vulnerability assessment
  • Unmanaged assets
  • Assets missing endpoint management
  • Assets with vulnerabilities
  • Cloud assets and high-risk combinations
  • Hardware Service Graph Connectors
  • Software Service Graph Connectors
  • Policy examples
  • Create a base policy for Security Posture Control (example)
  • Create a child policy from a base policy for Security Posture Control (example)
  • Clone a policy for Security Posture Control (example)
  • Cybersecurity Executive Dashboard
  • Opt-in for benchmark scores
  • Set targets
  • Security Simulation and Training Integration for Security Operations
  • Configure Knowbe4 integration
  • Configure Microsoft Defender for Office 365 integration
  • Risk and compliance dashboard for GRC: Metrics
  • Risk and Compliance Dashboard reports and solutions
  • Threat Intelligence Security Center
  • Explore
  • TISC Key terminology
  • Home page in TISC Workspace
  • Configure
  • Download TISC application from ServiceNow Store
  • Set up Threat Intelligence Security Center
  • Set Threat Intelligence Security Center properties
  • Integrate
  • Threat Intelligence Security Center Catalog
  • Threat Intelligence Feeds
  • Configure a new threat intelligence feed
  • Configure Custom Field Mapping
  • View Threat Intel Feeds
  • View STIX TAXII Feeds
  • View STIX HTTPs Feeds
  • View MISP Feeds
  • View Text Feeds
  • View CSV Feeds
  • View JSON Feeds
  • View RSS Feeds
  • View Custom Feed
  • View Premium Threat Feed for CrowdStrike
  • System Properties for CrowdStrike
  • Configure custom MISP API feed
  • Understanding STIX TAXII
  • Configure a new TAXII Feed
  • Duplicate threat intelligence feeds
  • TISC Integrations
  • TISC Enrichment Integrations
  • Configure Observable Enrichment
  • Have I Been Pwned integration
  • Configure and enable Have I Been Pwned integration
  • Whois integration
  • Configure and enable Whois integration
  • Shodan integration
  • Configure and enable Shodan integration
  • Sighting Search
  • Configure Sighting Search
  • Define queries for Sighting Search
  • Using Sighting Search Parameters
  • Get started with Elasticsearch integration
  • Configure and enable Elasticsearch integration
  • Get started with Splunk Search integration
  • Configure and enable Splunk integration
  • Get started with Sighting Search Configurations
  • Configure Threat Lookup
  • View Threat Lookup Reputation Calculators
  • Threat Lookup
  • TISC VirusTotal integration
  • Configure and Enable VirusTotal Integration
  • TISC CrowdStrike Falcon Intelligence integration
  • Configure and Enable CrowdStrike Falcon Intelligence integration
  • Configure new enrichment
  • TISC Security Tools Integrations
  • CrowdStrike Falcon EDR integration
  • Configure CrowdStrike EDR integration
  • Send observables to EDR
  • Microsoft Defender for EDR Integration
  • Register and configure the Microsoft Defender in the Microsoft Azure portal
  • Install and configure Microsoft Defender for EDR Integration
  • System properties for Microsoft Defender EDR
  • Send observables to EDR
  • Firewall integration
  • Palo Alto Networks integration
  • Create EDL for Palo Alto Networks
  • Palo Alto EDL Approval Rules
  • Add Observables to EDL
  • Remove Observables from EDL
  • Approve EDL entries for Palo Alto Networks
  • TISC add-on for Splunk overview
  • TISC integration with Splunk
  • Creating users in ServiceNow TISC instance
  • Configure TISC add-on in Splunk
  • Data storage in Splunk
  • Troubleshoot the TISC add-on in Splunk
  • Microsoft Sentinel integration
  • TISC playbook templates
  • Administer
  • About Rules Engine in TISC
  • Defining Data Imports Approval Rules
  • Defining Expiration Rules
  • Expiration rules for source records
  • Creating Inbound Data Exclusion Rules
  • Custom Threat Score Calculator in TISC
  • Define Threat Score Calculator
  • MITRE ATT&CK Technique Extraction Rules
  • View extracted MITRE ATT&CK Techniques
  • Configure Tagging Rules in TISC
  • Automated creation of zero day vulnerability
  • About Security Control Lists in TISC
  • Defining Security Control Lists
  • Creating Taxonomies
  • Bulk import Taxonomies
  • Managing the Threat Lookup Reputation Calculator
  • Managing email Notifications in TISC
  • Email Notifications
  • Email logs
  • About Report Templates in TISC
  • Create a new Report Template
  • Edit a Published Report Template
  • Duplicate a Report Template
  • System properties for TISC Reports
  • Working with Webhooks
  • System properties for Webhooks
  • Configure webhooks
  • Subscribe Triggers
  • View webhook error logs
  • View webhook batches
  • Webhook Triggers
  • Working with automated flows
  • Automated IOC Enrichment
  • Create vulnerability assessment for zero day
  • Analyze, assess, and disseminate observables
  • Analyze and assess threat IoC’s
  • Vulnerability Management Support
  • Zero-day vulnerability tracking
  • Automatic Threat Actor priority tagging
  • Automated flows tables
  • Playbooks
  • Activate the Threat Hunting Playbook
  • Configure Tooltips for Nodemaps
  • Configure Custom Event Types for Timeline
  • Share Threat Intelligence data between TISC instances
  • Manual and Automated Sharing using flows
  • Template Configuration for Intelligence Sharing
  • Sharing intelligence using TAXII Server
  • Add to TAXII Collections from Library List View
  • Reference
  • Domain separation and Threat Intelligence Security Center
  • Components installed with Threat Intelligence Security Center
  • Threat Intelligence Security Center Knowledge Base articles
  • TISC API References
  • Use
  • TISC integration with SIR Workspace
  • Working with Data Imports
  • Viewing all imports
  • Viewing my imports
  • Viewing my approvals
  • Import Intelligence in TISC
  • Import data using structured file
  • Import data using standard format
  • Import data using raw text
  • Import data using unstructured file format
  • Threat Analyst Workbench
  • Workbench Overview
  • Creating cases using Threat Analyst Workbench
  • Enforced Restrictions for case(s)
  • Access controls for a case
  • External user access for case tasks
  • Associate MITRE Techniques to a Case
  • Roll up of MITRE technique associations
  • Creating case task using Threat Analyst Workbench
  • Working with Investigation Canvas
  • Working with Actions on the Investigation Canvas
  • Linking an existing case from Investigation Canvas
  • Creating a Case and Linking from Investigation Canvas
  • Linking Canvas from a Case
  • Creating an investigation canvas
  • Adding new nodes to Investigation Canvas
  • Using Timeline in Investigation Canvas
  • Adding Timeline Events to the Canvas
  • Investigation canvas and MITRE ATT&CK
  • Investigation Canvas MITRE Filters
  • Add artifacts to case(s) or case task(s)
  • Roll up of MITRE Techniques from Artifacts to Case
  • Show MITRE ATT&CK Framework for a Case(s)
  • Run Enrichment Actions within a case
  • View Case Reports
  • Create a security incident from a TISC case
  • Upload Secure File Attachments
  • Using playbooks
  • Threat Hunting Playbook
  • Use the Threat Hunting Playbook
  • Add the Threat Hunting Playbook to a Case
  • Threat Intelligence Security Center Library
  • Understanding the Data Model
  • TISC Library Objects form view
  • TISC Library Repository
  • Observables
  • Define an Observable
  • Observables source records
  • Link Threat Intel Related Records
  • Fetch Observables Data
  • View details in Visualizer
  • Link nodes in the Relationship Graph
  • Working with Internal Intelligence Records
  • View Internal Intelligence Records
  • Run Enrichment Actions from Observable
  • Add to Case
  • Run Enrichment operations in TISC
  • Observable Enrichment
  • Run Have I Been Pwned enrichment integration
  • Whois integration
  • Configure and enable Whois integration
  • Shodan integration
  • Configure and enable Shodan integration
  • Run Threat Lookup
  • Run Sighting Search
  • Run Observable Enrichment
  • View Enrichment Results
  • Indicators
  • Define an Indicator
  • Threat Entities
  • Attack Patterns
  • Define an attack pattern
  • Campaign
  • Define Campaign
  • Courses of Action
  • Define Courses of Action
  • Identity
  • Define identities
  • Infrastructure
  • Define infrastructure
  • Intrusion Set
  • Define Intrusion Set
  • Location
  • Define Location
  • Malware
  • Define Malware
  • Malware Analysis
  • Define Malware Analysis
  • Marking Definition
  • Define Marking Definition
  • Object Sighting
  • Define Object Sighting
  • Observed Data
  • Define Observed Data
  • Threat Actor
  • Define Threat Actor
  • Threat Event
  • Define Threat Event
  • Threat Grouping
  • Define Threat Grouping
  • Threat Note
  • Define Threat Note
  • Threat Opinion
  • Define Threat Opinion
  • Threat Report
  • Define Threat Report
  • Tools
  • Define Tools
  • Other Objects
  • Data Component
  • Define Data Component
  • Data Sources
  • Define Data Sources
  • Vulnerability Artifacts
  • Define Vulnerability
  • Create a CWE record
  • Create a Product
  • Create a Vendor to a Vulnerability
  • Create Remediations
  • Access the Vulnerability Entities
  • Fetch Vulnerability Data
  • View RSS Feeds
  • Working with Reports in TISC
  • View All Reports
  • View Case Reports
  • View Intelligence Reports
  • View my reports
  • MITRE-ATT&CK Repository
  • Manage Matrices
  • Manage Techniques
  • Manage Mitigations
  • Manage Groups
  • Manage Malware
  • Manage Tools
  • Manage MITRE Relationships
  • Relationships Objects
  • Define observable-observable relationships
  • Define object-object relationships
  • Define object-observable relationships
  • Define object-indicator relationships
  • Define indicator-indicator relationships
  • Define indicator-observable relationships
  • Potential Relationships
  • Confirm observable-observable potential relationship
  • Confirm object-object potential relationships
  • Confirm indicator-indicator potential relationships
  • Vulnerability relationship mapping
  • Access Vulnerability Downstream actions
  • Create Vulnerability Assessment from a Vulnerability
  • Create Security Incident from a Vulnerability Record
  • Deleting threat intelligence library records
  • Export intelligence data
  • Confirm Potential Relationships from Related Records
  • Automated Correlation
  • Working with Data Exports
  • View all exports
  • View my exports
  • Export intelligence system properties
  • Data migration in TISC
  • Data migration from SIR TI to TISC
  • TISC Data Processing Functional Flow
  • TISC Data archival and cleanup
  • TISC Data Archival
  • Archive TISC related records
  • Destroy Rules in TISC
  • Delete intelligence records
  • Automated cleanup of duplicate records from same source
  • Data Loss Prevention Incident Response
  • Explore
  • DLP Incident Response overview
  • Get started with DLP Incident Response
  • Configure
  • Install and configure the DLP Incident Response application
  • Domain separation and DLP Incident Response
  • Administer
  • DLP default configuration settings
  • Create end user lookup rules
  • Create assignment rules
  • Create incident consolidation rules
  • Create response due date rules
  • Add multiple users to access DLP incidents
  • Create Approval Rules
  • Create user instructions templates
  • Configure DLP UI user instructions
  • Create email templates
  • Create a Data Loss Prevention Incident Response SLA trigger
  • Create a Data Loss Prevention Incident Response SLA definition
  • Create assessments
  • Configure response option for your DLP incidents
  • Create incident response option rules
  • Create age chart configurations
  • Create user delegate configurations
  • Create repeat offender identification rules
  • Create additional incident data fields
  • DLP SLA Definition form
  • Configure advanced settings
  • Monitor DLP Integration Run process
  • DLP Incident Access Restrictions
  • Create field level restrictions
  • Create record level restrictions
  • DLP Incidents Archival
  • Archive DLP related records
  • Manage incidents
  • Data Loss Prevention Incident Response User Workspace
  • Report or respond to DLP incidents
  • Working with my approvals module
  • Data Loss Prevention Incident Response Analyst Workspace
  • Data Loss Prevention Incident Response Dashboard
  • Inbound integration
  • Integrate
  • Symantec Integration for Data Loss Prevention Incident Response
  • Getting started with Symantec DLP integration for Data Loss Prevention
  • Install and configure the Symantec DLP integration for Data Loss Prevention
  • Create a profile for Symantec DLP integration
  • Define filters to apply for the Incident creation
  • Configure evidence file storage
  • Download evidence files
  • Preview evidence files
  • Schedule the Symantec DLP Incident Retrieval
  • Mapping Symantec DLP incident statuses with ServiceNow incident Status
  • Severity mapping between Symantec DLP incidents with ServiceNow incidents
  • Configure Smart Response Rules
  • Execute Smart Response Rules
  • Configure the Symantec DLP  integration settings
  • Domain Separation in the Symantec DLP integration
  • Data Loss Prevention Incident Response Integration with Proofpoint
  • Getting started with Proofpoint integration for Data Loss Prevention
  • Install and configure the Proofpoint integration for Data Loss Prevention
  • Configure the Webhook on the Proofpoint DLP tenant for alert notifications to ServiceNow
  • Create an Application in Proofpoint and Obtain Client Credentials
  • Create a Profile for Proofpoint DLP integration
  • Define filters to apply for the Incident creation
  • Preview evidence files
  • Map Proofpoint DLP incidents status with ServiceNow incident status
  • Configure Proofpoint DLP integration settings
  • Domain Separation in Proofpoint DLP integration
  • Data Loss Prevention Incident Response Integration with Netskope
  • Getting started with Netskope DLP integration for Data Loss Prevention
  • Install and configure the Netskope DLP integration for Data Loss Prevention
  • Create a Profile for Netskope DLP integration
  • Define Filters to apply for the Incident creation
  • Schedule the Netskope DLP incidents retrieval
  • Mapping DLP incident status with Netskope
  • Configure Netskope DLP integration settings
  • Download evidence files
  • Preview evidence files
  • Notifications for users on retry mechanism
  • Email notifications on credential expiration
  • Domain Separation in Netskope DLP integration
  • Internet Content Adaption Protocol (ICAP) integration for DLP IR
  • Getting started with ICAP DLP integration for Data Loss Prevention
  • Install and configure the ICAP DLP integration
  • Create a profile for ICAP DLP integration
  • Define filters to apply for the Incident creation
  • Schedule the ICAP DLP incidents retrieval
  • View sensitive information for DLP alerts
  • Download evidence files for DLP alerts
  • Preview evidence files for ICAP
  • Review the ICAP DLP integration settings
  • Data Loss Prevention Incident Response with Microsoft
  • Getting started with Microsoft DLP IR integration for data loss prevention
  • Install and configure the Microsoft DLP integration
  • Create a new incident profile for Microsoft DLP integration
  • Microsoft purview endpoint storage configuration
  • Define filters to apply for the Incident creation
  • Configure the match content for the incident
  • Schedule the DLP IR Microsoft incident retrieval
  • Configure Microsoft DLP IR integration settings
  • Request release email from quarantine
  • Download files for DLP incidents of type Exchange Online, OneDrive, and SharePoint
  • Preview Evidence files for DLP incidents of type Exchange Online, OneDrive, and SharePoint
  • Domain separation in Microsoft DLP integration
  • Security Operations common functionality
  • Create and define filter groups in Security Operations
  • Shared data transformation
  • Create duplication rules in Security Operations
  • Security Operations email processing
  • Security Operations email properties
  • Create Security Operations email properties
  • Security Operations email parsing
  • Create email parsers in Security Operations
  • Edit email records in Security Operations
  • Unmatched Security Operations email events
  • View and reprocess unmatched Security Operations emails
  • Security Operations field mapping
  • Map tables to tables with Security Operations field mapping
  • Security Operations field value transforms
  • Create Security Operations field value transforms
  • Security Operations enrichment data mapping
  • Create a Security Operations enrichment data map
  • Security Operations user-defined escalation
  • Create a Security Operations user-defined escalation group
  • Create domain-separated property overrides
  • Create an operating system group
  • Set up security tag groups and tags
  • Create security tag rules
  • Import security tag rules
  • Security annotations
  • Create security annotations for CIs
  • Create security annotations for observables
  • Create security annotations for users
  • View security annotations reports
  • Components installed with Security Support Common
  • View components installed with Security Support Common
  • Search Security Operations
  • Security Operations Integration Reference
  • ServiceNow Security Operations integration development guidelines
  • Types of ServiceNow integrations provided
  • Security Operations Integration Configurations
  • Activate and configure third-party integrations
  • Create an integration
  • Tips for writing integrations
  • Integration troubleshooting
  • Replace an untrusted or expired third-party SSL certificate
  • Integrations Capabilities framework 2.0
  • REST APIs for third-party integration with Security Operations
  • Integration capabilities
  • Security Operations Integration- Block Request capability
  • Run Block Request
  • Security Operations Integration - Block Request Flow
  • Security Operations Integration- Email Search and Delete capability
  • Security Operations Integration - Email Search and Delete flow
  • Execution Tracking Begin (Mail Search) action
  • Security Operations Integration- Enrich CI capability
  • Security Operations Integration - CI Enrichment flow
  • Security Operations Integration- Enrich Observable capability
  • Security Operations Integration - Enrich Observable flow
  • Security Operations Integration- Get Network Statistics capability
  • Security Operations Integrations - Get Network Statistics flow
  • Execution Tracking - Begin (CIs) Flow Action
  • Get Network Statistics flow
  • Security Operations Integration- Get Running Processes capability
  • Security Operations Carbon Black Integration - Get Running Processes Flow
  • Collect Carbon Black Configurations Flow Action
  • Check MID Server Status
  • Get Sensor ID Flow Action
  • Create Session Flow Action
  • Check Session Status Flow Action
  • Create Command Process Flow Action
  • Check Command Status and Get Process Flow Action
  • Map Processes Data Flow Action
  • Capability Execution Tracking - Complete Flow Action
  • Close Session Flow Action
  • Security Operations System Command Integration- Get Running Processes flow
  • Combine results activity
  • Execute Shell Script activity
  • Extract Shell Script from MID Script activity
  • Get Running Processes via PowerShell activity
  • Security Operations - Get Running Processes Flow
  • Security Operations Integration- Isolate Host capability
  • Run Isolate Host
  • Security Operations - Isolate Host Flow
  • Security Operations Carbon Black Integration - Isolate Host Flow
  • Get Sensor ID Flow Action
  • Set Network Isolation Enabled activity
  • Update Sensor activity
  • Security Operations Carbon Black Integration- Remove Host Isolation Flow
  • Security Operations Integration- Publish to Watchlist capability
  • Security Operations Integration - Publish to Watchlist Flow
  • Security Operations Integration- Sightings Search capability
  • Create sightings search configuration records
  • Run a Sightings Search
  • Security Operations Integration - Sightings Search Flow
  • Sightings Search - Determine Observables activity
  • Persistent Observable Sightings activity
  • Get Observable Sightings Queries activity
  • Security Operations - Arcsight Logger Sightings Search Flow
  • Security Operations - Elasticsearch Sightings Search Flow
  • Security Operations - McAfee ESM Sightings Search Flow
  • Security Operations - QRadar Sightings Search Flow
  • Security Operations Integration - Splunk Sightings Search Flow
  • View Sightings Search Results
  • Share Sightings Search results
  • Share observables from a security incident
  • View Sightings Search Details
  • View Sightings Search Data
  • Security Operations Integration - Threat Lookup capability
  • Security Operations Integration - Threat Lookup Flow
  • Change the order of flow execution
  • Common Security Operations integration flows and orchestration activities
  • Execution Tracking - Begin Flow Action
  • Capability Execution Tracking - Complete Flow Action
  • Capability Execution Tracking- Failure Flow Action
  • Capability - Determine CIs activity
  • Create Enrichment Data records Flow Action
  • Get Configuration Item FQDN Flow Action
  • Determine Observables activity
  • Get Supported Security Capabilities action
  • Capability Execution Tracking- No Impls action
  • Create Compliance Search Action
  • Get IP from CI activity
  • Get Network Statistics via netstat Flow Action
  • Get running processes via WMI activity
  • Check Compliance Search Status Action
  • Update Task Worknotes activity
  • Roll up lookup info to security incident activity
  • Update security incident with lookup results workflow
  • Filter Allowlisted Observables activity
  • Write content to record as attachment activity
  • Get IP from CI activity
  • Security Operations workflow triggers
  • Create Security Operations workflow triggers
  • Security Operations Orchestration
  • Security Operations and the ServiceNow Store
  • Download an application from the ServiceNow Store for the first time
  • Get entitlement for a Security Operations product or application
  • Activate a ServiceNow Store application
  • Install a Security Operations integration
  • Update an application previously downloaded from the ServiceNow Store
  • Upgrade your instance to the next family release

Quick links section

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Quick links work like bookmark links. You can add external URLs and quickly access them from within the workspace.

    • Working with quick links
      Add quick links for easy reference.
    Related concepts
    • SIR Workspace features
    • SIR Workspace interface overview
    • Upcoming section
    • Shift Handover Records section
    • List view in SIR Workspace
    Related reference
    • SIR Workspace plugins
    Back to home page