Security Operations

According to the Identity Theft Resource Center, in 2016 (Oct 27, 2016) there were at least 809 major data breaches in the United States, resulting in over 29 million records exposed.

Data security is critical for any company with valuable information to protect, which means most companies today. Companies want to continue to innovate with software, but that software data absolutely need to be protected to be successful. A data breach mean negative consumer perception of the company and possible legal consequences as well.


This is not an easy task as these hacker adversaries are very sophisticated.  Some have tremendous funding (state-funded), and many are determined, relentless attackers.

You need software to organize your effort to counter-threat these intruders.  ServiceNow Security Operations connects the workflow and systems management capabilities of the ServiceNow platform with security data from leading vendors.  It gives your security team a single‑response platform for complete visibility, allowing them to respond to incidents and vulnerabilities more efficiently.

Here are some of the current offerings in the ServiceNow Security Operations suite:

Security Incident Response

Security Incident Response tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post incident review, knowledge base article creation, and closure.


There are four related plugins for Security Incident response:

  • Security Incident Response - This the main application.  Please note that activation on production may require a separate license.
  • Security Incident Analytics - This plugs into Performance Analytics to provide a executive view to Security Incident activity.  Requires Performance Analytics.
  • Security Incident Response Event Management support - This allows ServiceNow to automatically create Security Alerts and Security Incidents from ServiceNow Event Management. Require Event Management and event management licenses.
  • Security Incident Response GRC support.  Hooks up to GRC to create Security Incidents. Requires GRC Licenses.
  • ServiceNow Security Operations add-on for Splunk. When Splunk is integrated with the ServiceNow Security Operations applications, you can seamlessly create security incidents or events from Splunk events, alerts, and logs. After you have downloaded the ServiceNow Security Operations add-on for Splunk from Splunkbase, you are ready to use the integration to create the desired security records. Please note that activation on production may require a separate license.

How it works

1. Dashboards

You can monitor the security incidents on your system using security dashboards that display gauges and reports for incident handling. 

CISO Reporting Dashboard

Security Analyst Dashboard

The dashboards show the impacts of security incidents with treemaps and other types of charts that automatically update in real-time, based on incident categories such as counts, severities, and priorities. You can view operational trends, incident analytics, incidents that affect your business services, and P1 and P2 incidents logged within the previous 24 hours. Data in the charts is driven by ServiceNow Performance Analytics.

 You can also monitor affected CIs by viewing the BSM map.

Security Incident - BSM Map

2. Security

Only user with appropriate access can access the Security Incident Response app.  Even non-security administrators can be restricted from access, unless you expressly allow them entry.

3. Security Incident Creation

Security incidents can be created in the following ways.

  • Security Application. New Security Incident Response (SIR) records can be created using the Create New module on the navigation bar.
  • Event Management or Integrations. From events spawned internally or from external monitoring or vulnerability tracking systems
  • Event Management. Manually from alerts or automatically via alert rules
  • Incident Management. On the Incident form, click Create Security Incident to create a new security incident.
  • Service Catalog. Creation of SIRs by selecting from categories of security threats defined in the security incident catalog.

Security Incident Catalog

Security Incident Catalog Item

4. Security Request Creation

You can use the Requests module to create requests for low impact security demands, such as changing a password or requesting a new badge. However, you can open a security incident when a breach occurs.

If you must escalate the request to a security incident, click Convert to Security Incident when in the Request

Security Request - Convert to Security Incident

5. Analysis

On the Security Incident form, view incidents, changes, problems, and tasks on the affected CI. The system can identify malware, viruses, and other areas of vulnerability by cross-referencing the National Institute of Standards and Technology (NIST) database, or other third-party detection software. As security incidents are resolved, any incident can be used to create a security knowledge base article for future reference.

6. Containment, Eradication, and Recovery

While monitoring and analyzing vulnerabilities, you can create and assign tasks to other departments. Use the BSM map to create tasks, problems, or changes for all affected systems, documents, activities, SMS messages, bridge calls, and so forth.

Like other ServiceNow Service Management applications, it can use a state-based and task-driven workflow to take a Security incident from Draft to Closed.  Like a lot of the Service Management applications, it uses a Configuration Page with sliders to adjust a lot of settings in the app.

Security Incident Form

Security Incident - Configuration

7. Post Incident Review

Significant incidents may need an incident resolution review, also called a post-incident review. This can take on several forms. For example, the incident manager can:

  • Conduct a meeting to discuss the incident and gather responses.
  • Write and distribute questions designed for each incident category or priority to those who worked on the incident, to review incident resolution.
  • Write the report and gather information on their own.

An automated survey system for reviewing security incident resolution is available. It gathers the names of all users assigned to the security incident, and sends a survey to gather data about the handling of this incident. This data can then be made available in a generated security incident review report, which can be edited into a final draft.

Security Incident - Post Incident Review Screen 1

Security Incident - Post Incident Review Screen 2

Vulnerability Response

The National Vulnerability Database (NVD) and many other sources collect information about known vulnerabilities, such as weaknesses in software, operating systems that can be exploited by malware, and other attacks.

The ServiceNow Vulnerability Response application helps you in tracking, prioritizing, and resolving these vulnerabilities. This works by comparing known vulnerabilities against your own Configuration Items (CIs) with software (as identified in the Asset Management module).


There are three related plugins for Vulnerability Response response:

  • Vulnerability Response - This the main application.  Please note that activation on production may require a separate license.
  • Vulnerability Analytics - This plugs into Performance Analytics to provide a executive view to Vulnerability activity.  Requires Performance Analytics.
  • Qualys Vulnerability Integration - allows vulnerability data, detected by the third-party Qualys scanner, to be downloaded to the Vulnerability Response application for tracking, prioritization, and resolution. Please note that activation on production may require a separate license.


1. Dashboards

You can monitor the vulnerabilities captured in ServiceNow using security that display gauges and reports for ticket handling.  This dashboard contains 14 reports in the base offering.

 Vulnerability Response Overview

Vulnerability Response Overview

2. Data Import

With Vulnerability Response, you can compare vulnerability data to CIs and software identified in the Asset Management module. The vulnerability data can be imported from internal and external sources, such as the National Vulnerability Database. You can also use Common Weakness Enumeration (CWE) records downloaded from the CWE database for reference when deciding whether to escalate a vulnerability.

This reminds me of the ServiceNow GRC application, where it pulls Authority documents from the UCF database.  I think is a good concept, and liked how that worked in the GRC application previously.

You can update your system from the vulnerability databases on demand or by running user-configured scheduled jobs.

More information: NVD and CWE updates

Vulnerability Response - NVD Data Feeds

Vulnerability Response - NVD On Demand

Vulnerability Response NVD Entry Form

3. Identify vulnerable items

  1. After data is downloaded from NIST NVD, they are compared against the software in your company's network as identified by the Software Asset discovery model.
  2. When it matches vulnerable software or CIs in your network, a vulnerable item is created.
  3. You use the information in the record to decide whether to escalate the vulnerable item for remediation.

Vulnerability Response NVD

Vulnerable Software Highlighted

4. Remediate vulnerabilities

This is abridged version of this process.  For full documentation read this.

  1. Left Navigator Bar > Vulnerability > Vulnerabilities > All Vulnerabilities.
  2. Click a vulnerability record (VUL) that is in the New state. 
  3. Flip the State field to Analysis
  4. Perform whatever tests or analysis you want on the vulnerabilities.
  5. To escalate, Click the Create Change, Create Problem, or Create Security Incident button (if installed)
  6. Close if not important for now
  7. Repeat

Vulnerability Response Form

Vulnerable Item - Note all the buttons!

5. Scan for more Vulnerabilities 

You can also scan more more!  Please note that the vulnerable item that you want to scan must contain an affected CI or IP address.

  1. Go to the Left Nav Bar > Vulnerability > Vulnerabilites > All Vulnerable Items.
  2. Open vulnerable item
  3. Click the Scan for Vulnerabilities related link.
  4. A message appears with a link to the scan and the work notes are updated.

More Information

This application is very powerful and I just glanced over some of the features.  

For the full documentation check out the wiki:

Threat Intelligence

Find indicators of compromise and hunt low‑lying attacks and threats using ServiceNow. 

Example Structured Threat Information Expression Process (STIX)

Threat Intelligence is used to access and provide a point of reference for your company's Structured Threat Information Expression (STIX) data. STIX is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner.

Using STIX data and Trusted Automated Exchange of Indicator Information (TAXII) profiles, threat professionals can use shared cyber threat information to isolate threats that have been previously identified by your company and from other sources. TAXII makes widespread automated exchange of cyber threat information possible.


There are one plugin for Threat Intelligence:

  • Threat Intelligence - This the main application.  Please note that activation on production may require a separate license.

There are API Keys and Properties to set initially as well.  Read about that here.


1. Dashboards

The Threat Intelligence overview provides a number of useful reports, as well as Really Simple Syndication (RSS) and Atom format feeds of security-related news.

Threat Overview

2. Setup Threat Feeds

Threat Feed (with ServiceNow Elite Articles!)

The threat feeds feature allows you to define any RSS news feed or bulletins to be displayed in a scrolling feed. The format is configurable and you can specify the number of days before articles are removed.

This is a cool feature!  I am going to blog about this separately.  Stay tuned.

3. Threat Sources

You can maintain a list of Threat Intelligence threat sources. Each source includes the abilty to define how often a source is queried. You can also execute a threat source on demand to import the needed Structured Threat Information eXpression (STIX) data.

Threat Intelligence employs two technologies for importing threat-related information: STIX and Trusted Automated Exchange of Indicator Information (TAXII).

STIX Source

TAXII Profile

4. Attack Modes and Methods

Attack modes and methods, sometimes referred to as Tactics, Techniques, and Procedures (TTPs), are representations of how cyber adversaries behave. They characterize what these adversaries do and how they do it, in increasing levels of detail.

Attack modes and methods are imported with STIX data, but you can add more attack modes/methods as needed.

5. Threat Scanning

One of most interesting things of the Security Operations app is the threat scan functionality.

If you suspect that websites, files, or links to IP addresses you have received might contain malware or other threats, you can create a request to scan them. 

It starts with a connection to the Virus Total API.  All you need to do is get an API key from VirusTotal to try it out.

Scanning safe sites is boring.  So I googled "malicious websites".  Check those results!  Like a bad night on the town! 

Threat Scanning - Bad Site

Virus Total - Bad Site

You can also submit scans via other methods as well:

I thought this feature of ServiceNow was pretty cool.  Did enjoy the process of scanning and how it worked.


The Security Operations applications provided by ServiceNow are very exciting.  The NVD data import and scanning functionality was surprising to me, I didn't expect that.  I'll keep you posted as new tricks are found as well.

I've been using ServiceNow pre-Aspen, and I love seeing the progress over the years!  Breaking new ground with ServiceNow once again!