ServiceNow Incident Onboarding | Cyware Use Cases
Orchestrate and automatically onboard ServiceNow ITSM incidents on the Cyware Fusion and Threat Response platform to eliminate errors and friction.
Category: Case/Ticket Management
Cyware Products Used:
Cyware Fusion and Threat Response (CFTR)
Orchestrate (CO)
Third-Party Integrations Used:
ServiceNow ITSM: Case management solution to document and manage incidents.
Problem Statement
Digital assets in the organization must be connected with ITSM solutions to make sure that data, processes, and tools operate together to prevent information silos in an organization. It is also important for security teams to receive ITSM incidents in a central location within CFTR to prepare and respond to high-profile security incidents such as ransomware, data breaches, targeted attacks, and any other incidents reported by an employee through the ServiceNow support desk.
Solution
The solution is to orchestrate and automatically onboard ServiceNow ITSM incidents on the Cyware Fusion and Threat Response (CFTR) platform to eliminate errors and friction natural to manual handoffs across systems and security teams. This helps security teams to expedite incident investigations, response, and remediation across IT, Security, and Risk teams to minimize incident impact, data loss, and exposure and centralize case management.
How do we solve this problem?
The solution uses the webhooks method to push incidents from the ServiceNow application. The triggered event is used to automatically trigger a playbook in Orchestrate and onboard the incident details to the CFTR application.
Configure Webhooks on ServiceNow: Generate a new Webhook credential from the Orchestrate application and copy the base URL and token of the webhook. Now go to the ServiceNow application and start by creating a Business Rule to run when there is an update on the Incident Table. Make sure to replace the <setEndpoint url> on the Advanced tab with the Orchestrate Webhook URL.
Retrieve Incidents: After the webhook is configured successfully on ServiceNow, the Orchestrate application automatically receives all the latest incidents along with their details from the ServiceNow application.
Enrichment: The webhook event is used to trigger a playbook in Orchestrate that onboards the incident to CFTR. The playbook can also be configured to enrich the indicators present in the incident.
Create Incident in CFTR: The playbook now onboards the incident details from ServiceNow to CFTR with all the details available on the incident. The playbook also enriches the indicators present in the incident and onboards the indicator details of the CFTR incident. The playbook also keeps the details of the incident in sync with the ServiceNow incident.
Update ServiceNow Incident: The playbook updates the ServiceNow incident with the CFTR Incident ticket ID to keep IT teams informed that the incident is sent to the security team for investigation.
Benefits
Quickly Investigate and Respond to Incidents
The solution eliminates the errors and friction natural to manual handoffs across systems, teams, and responsibilities and helps security teams to rapidly respond to evolving threats while optimizing and orchestrating enterprise security operations.
Orchestrate enterprise-wide incidents with ease
By automating incident onboarding, security teams can be prepared and ready to respond to big and breaking problems such as breaches, and ransomware and respond efficiently to enterprise-wide incidents.
Visibility into Threat Indicators
By automatically onboarding incidents to the CFTR application, security teams get visibility into threat indicators in the organization and continuously improve the security posture of the organization by improving response tactics.