Access to the Security Operations module requires the snseccmn.admin role, which is inherited from administrative roles in any Security Operations application.

Key Features

• Integrations: Supports integration with external detection systems and third-party tools across Security Incident Response, Threat Intelligence, and Vulnerability Response. Includes guidelines for activating plugins and configuring integrations.
• Email Processing: Enables ingesting and processing external security data via email, including handling unmatched emails and preventing duplicate records.
• Filter Groups: Allows creation of filter groups to locate and manage records from any instance table, such as grouping computers by manufacturer or filtering configuration items by vulnerability or subnet.
• Escalations: Facilitates creation of escalation paths for security incidents that require higher attention or expertise, with escalation buttons appearing on relevant incidents.
• Security Tags: Enables tagging of incidents, response tasks, vulnerabilities, observables, IoCs, and cases to manage metadata and access control based on tag groups.
• Workflows and Workflow Triggers: Provides numerous pre-built workflows for Security Operations, supports creation of new workflows, and triggers workflows based on table conditions to automate security processes.
• Data Transformation Utilities:
  • Enrichment Data Mapping: Transforms XML, JSON, or Properties file data into ServiceNow records used in workflows and incident enrichment.
  • Field Value Transforms: Converts unique customer field values into standardized Security Operations values to align external data with ServiceNow formats.
  • Field Mapping: Maps Security Operations tables to other ServiceNow tables, enabling integration between security incidents and service cases or problems.
• On-Demand Orchestration: Allows security analysts to execute specific tasks (e.g., process dumps) on configuration items as part of incident workflows.
• CMDB CI Identifier Rules: Defines rules to identify configuration items in the CMDB using matching information from third-party integrations, ordered by precedence.
• Domain Separation Overrides: Supports customization of Security Operations properties per domain in domain-separated environments.
• Operating System Groups: Enables mapping of operating systems to process types and scripts in incident response workflows, with the ability to add new OS groups as needed.
• Security Annotations: Allows adding explanatory notes or comments to configuration items, observables, or incidents for enhanced context.
• Search: Provides fast, full-text search across Security Operations applications using the Zing indexing engine.
• Security Operations Orchestration: Supports interaction with Windows and UNIX environments through activity packs and workflows for automation within Security Operations.

Practical Benefits for ServiceNow Customers

• Enables seamless integration of multiple Security Operations applications with shared core functionality.
• Improves data consistency and enrichment through standardized field and data mapping.
• Facilitates efficient incident management with escalation paths, tagging, and annotations to prioritize and control access.
• Supports automation and orchestration to streamline security incident response and investigative tasks.
• Provides flexible filtering and search capabilities to quickly locate relevant security data and assets.
• Allows customization per domain and easy addition of new operating systems or integrations to adapt to organizational needs.