Types of ServiceNow integrations provided
Summarize
Summary of Types of ServiceNow Integrations Provided
The Security Operations applications in ServiceNow (Security Incident Response, Threat Intelligence, and Vulnerability Response) offer multiple built-in integrations to enhance security workflows by connecting with other ServiceNow applications and external systems. These integrations streamline data flow, automate incident creation, enrich threat intelligence, and enable vulnerability scanning and management.
Show less
Security Incident Response Integrations
- Event Management Integration: Automatically parses events from Event Management to populate security incidents, enabling incident creation from SIEM tools. It supports event correlation, event and alert rules, and automatic mapping of event data to incidents.
- Import Set API Integration: Provides a REST endpoint to create security incidents directly from SIEM tools without requiring Event Management. It supports automatic configuration item (CI) matching based on IP, NetBIOS, or domain name.
Threat Intelligence Integrations
- Lookup Source Integration: Allows querying external lookup services for data such as IP addresses, URLs, files, or hashes to check for malicious indicators. It offers consistent lookup requests, rate limiting, and automatic creation of Indicators of Compromise (IoCs).
- Threat Source Integration: Enables importing external threat intelligence data into IoC tables using TAXII collections or simple blocklists with minimal or no coding. Supports REST message execution, paginated data retrieval, and reusability of integration components.
Vulnerability Response Integrations
- Scanner Invocation Integration: Facilitates asynchronous requests to third-party vulnerability scanners to scan configuration items or IP addresses. It provides a consistent framework for scan requests and automatic task updates with scan results.
- Data Integration: Retrieves vulnerability data from external systems, including vulnerability entries and CI pairings, allowing independent third-party vulnerability scanners to synchronize with ServiceNow’s vulnerability management. Supports reusable integration components, paginated data requests, and native processing of returned data.
Practical Benefits
- Automates security incident creation and enrichment from various data sources.
- Integrates external threat intelligence for enhanced detection and response.
- Streamlines vulnerability scanning and data synchronization with third-party tools.
- Offers reusable, low-code integration frameworks for efficient setup and maintenance.
Additional Resources
ServiceNow provides documentation and support for configuring these integrations, troubleshooting, and optimizing integration architecture within Security Operations.
The Security Operations applications (Security Incident Response, Threat Intelligence, and Vulnerability Response) can be seamlessly integrated with other ServiceNow applications to enhance their functionality.
The following integrations are provided in the Security Operations base system.
Security Incident Response – Event Management integration
The capabilities of the Event Management application have been expanded to support Security Incident Response. The Security Incident Response Event Management support plugin automatically parses the contents of events in Event Management to populate fields in security incidents.
Use case covered:Creation of security events in the Event Management system from Security Information and Event Management (SIEM) tools
Useful capabilities provided:- Event management functionality – event correlation, event rules, and alert rules
- Automatic mapping of additional_information values to resulting security incident
Resources:
Security Incident Response - Import Set API integration
In addition to using Event Management to push security-related events, the Security Incident Response application provides an Import Set API that allows direct creation of security incidents. The REST endpoint for the Security Incident Import Set is http://localhost:8080/api/now/import/sn_si_incident_import.
This integration technique is useful when a) Event Management is not installed, or b) it is desired to simply create Security Incidents without going through the event > alert > Security Incident flow that is required when using Event Management.
Use case covered:Creation of security incidents directly from SIEM tools.
Useful capabilities provided:Automatic CI matching on Security Incident creation based on IP, NetBIOS, or fully qualified domain name.
Resources:
Platform Import Set API documentation
Security Incident Web Service Import Set documentationThreat Intelligence - lookup source integration
Lookup sources provide the ability to send data to external lookup sources to determine if that data is malicious. Generally, that data is an IP address, URL, file, or file hash.
Use case covered:Lookup an IP address, URL, file, or hash with an external lookup service.
Useful capabilities provided:
- Consistent way to request lookups from catalog items and security incidents.
- Rate limiting and throttling capabilities provided with little/no coding.
- Automatic creation of Indicators of Compromise (IoC) observable entries for any issues found by lookup sources.
Threat Intelligence - threat source integration
Threat Sources provide the ability to pull in data from external threat intelligence repositories. This data is then imported into the various Indicators of Compromise tables that exist within the system. TAXII collections and simple blocklists are supported natively. To add new TAXII collections (or profiles based on a discovery or collection management service), it is as simple as adding an entry. Similarly, adding a new simple, single column blocklist is a matter of entering a new record and providing the URL of the blocklist. For more complicated sets of data, a custom integration can be provided to make a call to a URL and parse the response.
Use case covered:Retrieve data from a threat intelligence source to load into IoC tables.
Useful capabilities provided:
- Support for simple blocklists and TAXII collections with no coding.
- Simple mechanism for executing REST messages for retrieving data.
- Decoupled data retrieval/processing for integration component reusability.
- Native support for processing passing data returned to data sources (and import sets/transform maps).
- Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls
Resources:
Vulnerability Response - scanner invocation integration
Vulnerability Scanner Invocation is a lightweight integration entry point that supports invoking vulnerability scans from the instance. A third-party vulnerability scanner is called asynchronously to schedule a scan for configuration items or IP addresses.
Use case covered:Make request to third-party scanner to scan a CI (using host information derived from CI) or IP address/IP addresses.
Useful capabilities provided:
- Simple framework for defining scanner implementations.
- Consistent way to request scans from catalog items, security incidents, and vulnerable items.
- Automatic updating of tasks with result of scan invocation.
Vulnerability Response - data integration
Vulnerability data integrations are intended to retrieve vulnerability data from third-party vulnerability systems. The expected outputs from these integrations are vulnerability entries and vulnerable items. This integration allows third-party vulnerability scanners to function independently, with the expectation that vulnerabilities can be worked and tracked within the instance.
Use cases covered:
- Retrieve vulnerability libraries
- Retrieve vulnerability/CI pairings
- Synchronize CIs with vulnerability management system
- Decoupled data retrieval/processing for integration component reusability.
- Native support for processing passing data returned to data sources (and import sets/transform maps).
- Supports multiple data requests per integration (for paginated calls) with the ability to pass context to subsequent calls.
Resources: