ServiceNow is software for the SOC to manage incident workflow. While investigating incidents, analysts collaborate with each other using ServiceNow and capture results, actors and evidence, status, and progress information in the tool. Since it holds the organization’s incident history, ServiceNow also becomes a key data source that analysts need visibility into when they start a new investigation.
Query makes it possible to search ServiceNow’s incident data in place without needing to duplicate that data into SIEM or another security data lake. Query integrates with ServiceNow using their public REST APIs that enable querying table data. (See our integration documentation here, and ServiceNow’s API docs here.) To add the integration, provide your ServiceNow instance’s URL, OAuth2 client_id and client_secret, your incident table name, and relevant field mappings for your environment.
Query will provide visibility to relevant incident data from your ServiceNow tenant. Query will normalize data pulled from ServiceNow into Query’s OCSF based QDM (Query Data Model).
With the ServiceNow integration added to Query’s federated search, Query will show you:
- Relevant incidents from ServiceNow mapped to Security Findings in QDM
- Incident summary information representing incident name, status, assigned to, severity, target device/user, attacker IP
- Drill-down to show the full incident description with additional fields
- Based upon additional integrations in your environment — for example, Threat Intelligence sources integrated with Query — Query can show you relevant follow up searches to get threat intelligence information associated with related actors, files, and IPs
An example of how the Query and ServiceNow integration drives value: when the analyst investigates an incident, they need to know whether the associated corporate user has had other cyber security events associated with them that could be a leading indicator of other attacks. This should give the picture of what was investigated, by which analyst, what TTPs were observed, what was the outcome, etc. This data is valuable to investigations and audits but either may not be present in the SIEM, or if it is, it drives ingestion expenses while also causing data duplication.
In summary, the benefits of ServiceNow integration are:
- Improved investigation workflow with visibility of required context from ServiceNow
- Eliminate need to duplicate data in SIEM or security data lake
- Normalize ServiceNow data and integrate it with any other data sources you might have added in your Query instance to get to more effective investigation outcomes