Security Operations Integration Configurations

Release version: Zurich

Updated July 31, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Security Operations Integration Configurations

Security Operations in ServiceNow offers multiple integrations to enhance security incident management by connecting with various third-party security platforms. While many integrations require minimal setup, some, like the Qualys Cloud Platform, need additional configuration steps. These integrations support diverse scan types, lookup methods, and rate limits tailored to their specific functionalities.

Show full answer Show less

Key Features

Carbon Black Integration: Enables investigation and response to security incidents through API queries to endpoints.
Check Point Anti-bot - Email Parser: Consumes email notifications to automatically create security incidents.
Elasticsearch Incident Enrichment: Searches logs to enrich security incidents with relevant sighting data.
Have I Been Pwned? Integration: Quickly searches breached accounts via RESTful services.
HPE Security ArcSight ESM and Logger Integrations: Email parsers and incident enrichment by consuming notifications and logs.
IBM QRadar Incident Enrichment: Adds log-based sighting information to security incidents.
McAfee ESM Integrations: Email parser and incident enrichment for security incident creation and enrichment.
OPSWAT Metadefender Integration: Imports threat data from Metadefender scanner into Threat Intelligence for prioritization and resolution.
Palo Alto Networks Integrations:
- AutoFocus for threat intelligence session searches.
- Firewall management for threat prevention across network, cloud, and endpoints.
- WildFire for querying malware analysis jobs and retrieving results.
Qualys Vulnerability Integration: Integrated with Vulnerability Response for vulnerability management.
Splunk Incident Enrichment: Log search to enrich security incidents.
VirusTotal Integration: Lookup source in Threat Intelligence requiring activation of the related plugin.
WhoisXML API Integration: Provides structured, reliable Whois data accessible 24/7.

Practical Use and Configuration

ServiceNow customers can activate and configure these third-party integrations through a unified interface. This simplifies management and allows seamless incorporation into security workflows. Additionally, partners can create custom integrations and add them to the Security Integrations screen for enhanced extensibility.

Benefits

Automated creation and enrichment of security incidents improve response efficiency.
Access to comprehensive threat intelligence data from multiple sources.
Centralized management of integrations reduces administrative overhead.
Enhanced visibility into security postures through log and data enrichment.

Many of the integrations included in the base system require little or no setup, and operate in the same way. Certain integrations, such as the Qualys Cloud Platform, however, require separate steps for setting up the integration. Others support different sets of scan and lookup types and different rate limits.

This section describes the differences between the supported integrations and points you to more documentation, as needed.

Carbon Black integration: allows you to investigate and respond to security incidents by using the Carbon Black APIs to query and interact with endpoints associated with security incidents.
Check Point Anti-bot - Email Parser integration: uses an email parser that consumes email notifications from Check Point Anti-bot to create security incidents.
Elasticsearch Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
Have I been pwned? integration: allows the list of breached accounts (email addresses and usernames) to be quickly searched via a RESTful service.
HPE Security ArcSight ESM - Email Parser integration: uses an email parser that consumes email notifications from HPE ArcSight ESM to create security incidents.
HPE ArcSight Logger - Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
IBM QRadar - Incident Enrichment Integration: searches your logs and adds relevant sighting information to your security incidents.
McAfee ESM - Email Parser integration: uses an email parser that consumes email notifications from McAfee ESM to create security incidents.
McAfee ESM - Incident Enrichment Integration: searches your logs and adds relevant sighting information to your security incidents.
OPSWAT Metadefender integration overview: allows threat data, detected by the third-party Metadefender scanner, to be downloaded to the Threat Intelligence application for tracking, prioritization, and resolution.
Palo Alto Networks - AutoFocus integration: Palo Alto Networks AutoFocus, a threat intelligence cloud service, allows you to search for session information related to security incident observables.
Palo Alto Networks - Firewall integration: Palo Alto Networks Firewall allows you to set up and maintain firewalls for preventing known and unknown threats across the network, cloud, and endpoints.
Palo Alto Networks - WildFire integration: Wildfire integration allows you to programmatically query analysis jobs on Wildfire and retrieve historical results through a simple XML API interface.
Understanding the Qualys Vulnerability Integration: Qualys Cloud Platform is used in Vulnerability Response.
Splunk - Incident Enrichment integration: searches your logs and adds relevant sighting information to your security incidents.
VirusTotal integration: used in Threat Intelligence. To use this lookup source, you must activate the VirusTotal Integration plugin.
WhoisXML API integration setup: provides consistent, well-structured data from a Whois lookup. Keeps accurate Whois data accessible 24/7.