Security Operations common functionality

Release version: Zurich

Updated July 31, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Security Operations common functionality

The Security Support Common plugin activates automatically when any Security Operations application plugin (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) is enabled. This plugin provides shared modules and functionality used across all Security Operations applications, enhancing integration, data processing, workflows, and orchestration capabilities within ServiceNow Security Operations.

Show full answer Show less

Access to the Security Operations module requires the snseccmn.admin role, which is inherited from administrative roles in any Security Operations application.

Key Features

Integrations: Supports integration with external detection systems and third-party tools across Security Incident Response, Threat Intelligence, and Vulnerability Response. Includes guidelines for activating plugins and configuring integrations.
Email Processing: Enables ingesting and processing external security data via email, including handling unmatched emails and preventing duplicate records.
Filter Groups: Allows creation of filter groups to locate and manage records from any instance table, such as grouping computers by manufacturer or filtering configuration items by vulnerability or subnet.
Escalations: Facilitates creation of escalation paths for security incidents that require higher attention or expertise, with escalation buttons appearing on relevant incidents.
Security Tags: Enables tagging of incidents, response tasks, vulnerabilities, observables, IoCs, and cases to manage metadata and access control based on tag groups.
Workflows and Workflow Triggers: Provides numerous pre-built workflows for Security Operations, supports creation of new workflows, and triggers workflows based on table conditions to automate security processes.
Data Transformation Utilities:
- Enrichment Data Mapping: Transforms XML, JSON, or Properties file data into ServiceNow records used in workflows and incident enrichment.
- Field Value Transforms: Converts unique customer field values into standardized Security Operations values to align external data with ServiceNow formats.
- Field Mapping: Maps Security Operations tables to other ServiceNow tables, enabling integration between security incidents and service cases or problems.
On-Demand Orchestration: Allows security analysts to execute specific tasks (e.g., process dumps) on configuration items as part of incident workflows.
CMDB CI Identifier Rules: Defines rules to identify configuration items in the CMDB using matching information from third-party integrations, ordered by precedence.
Domain Separation Overrides: Supports customization of Security Operations properties per domain in domain-separated environments.
Operating System Groups: Enables mapping of operating systems to process types and scripts in incident response workflows, with the ability to add new OS groups as needed.
Security Annotations: Allows adding explanatory notes or comments to configuration items, observables, or incidents for enhanced context.
Search: Provides fast, full-text search across Security Operations applications using the Zing indexing engine.
Security Operations Orchestration: Supports interaction with Windows and UNIX environments through activity packs and workflows for automation within Security Operations.

Practical Benefits for ServiceNow Customers

Enables seamless integration of multiple Security Operations applications with shared core functionality.
Improves data consistency and enrichment through standardized field and data mapping.
Facilitates efficient incident management with escalation paths, tagging, and annotations to prioritize and control access.
Supports automation and orchestration to streamline security incident response and investigative tasks.
Provides flexible filtering and search capabilities to quickly locate relevant security data and assets.
Allows customization per domain and easy addition of new operating systems or integrations to adapt to organizational needs.

Whenever any of the plugins for the main Security Operations applications (Security Incident Response, Vulnerability Response, Threat Intelligence, or Configuration Compliance) are activated, the Security Support Common plugin is activated. This plugin loads various modules that provide functionality that is common across all Security Operations applications.

Note:

Only users with the [sn_sec_cmn.admin] can view and use the Security Operations module. This role is inherited when you are assigned an administrative role in any of the Security Operations applications.

Security Operations Modules


Feature	Description
Security Operations Integration Reference, Threat Intelligence integrations, Vulnerability Response integrations	Several integrations are included with the Security Operations applications (Security Incident Response, Threat Intelligence, and Vulnerability Response). This section provides instructions for activating the plugins and configuring both ServiceNow and third-party integrations. Also included are some basic guidelines for developing your own integrations, as well as details on specific integrations included in the base system.
Security Operations email processing	You can set up the integration of information from external detection systems, provide granularity in processing security operations records, handle unmatched emails, and prevent duplication of records using Email Processing.
Groups	Filter Groups Create and use filter groups to locate records from any table on your instance. For example, you can create a group of all computers by the same manufacturer. You can also filter configuration items (CIs) that have similar vulnerabilities or that fall within a particular subnet IP address range. Escalations You can create an escalation path for security incidents for issues requiring more attention or expertise. Once an escalation group exists, a button appears on any security incident in that group.
Security Tags	Tags: Security tag rules provide filtering for security tag access.
Workflows	View Security Workflows You can view the many workflows included with the Security Operations applications. You can create workflows from templates and in the Workflow Editor. Workflow Triggers Security Operations workflow triggers contain a condition on a table. All workflows attached to the workflow trigger record run when the condition is met.
Utilities	Enrichment Data Mapping Enrichment Data Mapping transforms data from XML, JSON, or Properties files to ServiceNow records. Security Operations workflows use enrichment data maps and provide output data to security incidents. Field Value Transforms Transforms unique customer field values into field values recognized by Security Operations email parsing, data enrichment or tables using field maps. Supports choice fields, references, and aligns external data into the standard terminology and format for your new record. Field Mapping Security Operations tables can be mapped to and from other tables, linking a security incident to a customer service case or a problem to other parts of the Security Operations system. For example, you can integrate a plugin to a Security Incident Response task. On-Demand Orchestration During Security Incident Response analysis, a security analyst may want to perform a task that is driven by a security incident workflow. For example, run a process dump on a particular CI. This can be accomplished with on-demand orchestration. Operating Systems Groups NA. SecOps Application Registry NA.
CMDB	CI Identifier Rules: CI identifiers are rules used to lookup a configuration item (CI) in the CMDB that contains matching information from a third-party integration. These rules define the fields that contain matching data and the order of precedence by which they are evaluated. The lowest Order value is evaluated first.