This article describes the Intelligence Card Extension for ServiceNow.
About ServiceNow SIR/TI
Security Incident Response is part of ServiceNow Security Operations, a security
orchestration, automation, and response (SOAR) engine built on the Now Platform.
Designed to help security teams respond faster and more efficiently to incidents
and vulnerabilities, Security Operations uses intelligent workflows, automation, and
a deep connection with IT to streamline security response.
To learn more about ServiceNow Security Operations, please visit:
https://www.servicenow.com/products/security-operations.html
Note: to use this intelligence card extension, clients must also have a subscription to the ServiceNow Security Incident Response/Threat Intelligence (SIR/TI) module. In particular, this extension queries the table "sn_ti_m2m_task_observable" which is available in the SIR/TI module only.
To use this extension you need to enter
1. a ServiceNow BaseURL (include the leading "https", e.g., "https://recordedfuturedemo.service-now.com")
2. a valid Account Name
3. a valid Password for the Account
Please also see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension.
The extension is available on 4 intelligence cards:
- IP address
- InternetDomainName
- URL
- Hash
Extending IP Address, Domain, URL and Hash Intelligence Cards
You can search your instance of ServiceNow for a security incident that includes the specified IP Address, Domain, URL, or Hash as an observable. For each entity, the response will include:
- Incident Number
- Create Date
- Incident status
- Incident Summary
- Link to the incident in ServiceNow
Example (pulled from the domain intelligence card for the IP address 104.131.41.185):
Note:
Integrations in the other direction (i.e., Recorded Future Threat Intelligence going into ServiceNow) is available for the Security Incident Response and Threat Intelligence module, Vulnerability Response module, and the Vendor Risk Management module.