ServiceNow SIR/TI Extension

This article describes the Intelligence Card Extension for ServiceNow.

About ServiceNow SIR/TI

SNOW_logo_2022_09_19_trans.png

Security Incident Response is part of ServiceNow Security Operations, a security
orchestration, automation, and response (SOAR) engine built on the Now Platform.
Designed to help security teams respond faster and more efficiently to incidents
and vulnerabilities, Security Operations uses intelligent workflows, automation, and
a deep connection with IT to streamline security response.


To learn more about ServiceNow Security Operations, please visit:
https://www.servicenow.com/products/security-operations.html

 

Note: to use this intelligence card extension, clients must also have a subscription to the ServiceNow Security Incident Response/Threat Intelligence (SIR/TI) module.  In particular, this extension queries the table "sn_ti_m2m_task_observable" which is available in the SIR/TI module only.

 

To use this extension you need to enter

1. a ServiceNow BaseURL (include the leading "https", e.g., "https://recordedfuturedemo.service-now.com")

2. a valid Account Name

3. a valid Password for the Account

mceclip0.png

Please also see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension.

 

The extension is available on 4 intelligence cards:

  • IP address
  • InternetDomainName
  • URL
  • Hash  

Extending IP Address, Domain, URL and Hash Intelligence Cards

You can search your instance of ServiceNow for a security incident that includes the specified IP Address, Domain, URL, or Hash as an observable. For each entity, the response will include:

  • Incident Number
  • Create Date
  • Incident status
  • Incident Summary 
  • Link to the incident in ServiceNow

Example (pulled from the domain intelligence card for the IP address 104.131.41.185):

mceclip1.png

 

Note:

Integrations in the other direction (i.e., Recorded Future Threat Intelligence going into ServiceNow) is available for the Security Incident Response and Threat Intelligence module, Vulnerability Response module, and the Vendor Risk Management module.  

 

 

 
This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more