ServiceNow Security Operations Integration: Maximizing Automation for Incident Detection and Remediation

Automation is becoming more and more prevalent and sought after by Security Operations Centers (SOC).  This is driven by the increasing cybersecurity skills gap, intensified by the volume of security data and alerts that require analysis.  To address this, SOC teams are looking at tools such Security Orchestration Automation and Remediation (SOAR).

However, in our interactions with customers, we are finding a great deal of frustration for organizations that have rolled out SOARs.  Much of this frustration comes from the inability of the SOAR to digest the volume of data and alerts that are generated from various sensors in the environment.  Not to mention the correlation and decision-making that needs to happen to find malicious behavior.  When this occurs, organizations miss out on the automation benefits, particularly for incident remediation, that SOAR was meant to address in the first place.

Cloud Native Now

Exacerbating this frustration is the sheer amount of time, effort and cost it takes to write playbooks for automated incident remediation.  Additionally, playbooks must be maintained over time to keep up with the latest Tactics, Techniques and Procedures (TTP) that are constantly changing.  However, if the SOAR isn’t finding the incidents or cannot monitor the data at scale (as is necessary), those playbooks that automate remediation are of little value.

As we announced last fall, the Respond Analyst integrates with ServiceNow Security Operations.  This integration allows Respond to take the heavy lifting of front-end alert monitoring, triage and scoping off of ServiceNow.  Once incidents are identified and false positives are discarded, the Respond Analyst forwards only the malicious incidents that require remediation.  From there, ServiceNow Security Operations will automate remediation actions to close the incident.  

Unlocking SOAR with eXtended Detection and Response (XDR)

The Respond Analyst, an XDR Engine from Respond Software, enables organizations to unlock the true automation capabilities of their SOAR deployments by managing the up-front analysis and triage of events before they are passed to the SOAR system. The Respond Analyst is scalable to handle millions of events, escalating actionable and malicious incidents into SOAR for remediation and filtering out false positives. However, unlike SOAR, the Respond Analyst does not require coding, customization or maintenance over time, therefore, time to value can be recognized in hours. Leveraging the Respond Analyst with SOAR reduces attack dwell time, remediates security issues faster through additional automation, and elevates analyst collaboration.

The Respond Analyst and ServiceNow Integration
As new incidents are created in the Respond Analyst, it will make API calls to ServiceNow using the Account specified in the integration’s configuration settings, pushing all the fields mapped in the ‘Import Set Web Service.’ The security analyst does not need to manually open a case in ServiceNow and populate it with relevant information, that process is automated. The Respond Analyst executes this process when an incident is detected and continues to update the case in ServiceNow if and when new events are scoped into that incident.

When a Respond Incident is updated with new information, the Respond Analyst will update the incident in ServiceNow.


The Respond Analyst includes the ServiceNow case number and links back to the incident in the ServiceNow Security Operations console.

Links back to the Respond Analyst incident are included in the data pushed to ServiceNow. These can be used to access incident details and close the incident proactively in the Respond Analyst if desired.

On an on-going basis, the Respond Analyst will request the status of incidents in ServiceNow, and if an incident in ServiceNow is closed, the Respond Analyst will close the corresponding incident. If the user has defined the optional settings to return the *FEEDBACK* values, those will be used to close the incident. If those are not set, the incident will be closed with a resolution of “Inconclusive” in the Respond Analyst.

If a user closes an incident in the Respond Analyst UI, Respond will not close the incident in ServiceNow and will stop requesting the status of that incident in ServiceNow.


The Respond Analyst investigates, scopes, triages and correlates events, increasing the incident remediation capabilities of ServiceNow Security Operations. The Respond Analyst enables security analysts to stop looking at consoles all day and start investigating incidents, an improved use of their time. The combination of the Respond Analyst and ServiceNow Security Operations will result in reduced attack dwell time for customers that have or are considering the usage of both solutions.

For more information on the Respond Analyst and SOAR:

Is the Respond Analyst a SOAR Tool?

Putting the Automation into SOAR

The post ServiceNow Security Operations Integration: Maximizing Automation for Incident Detection and Remediation appeared first on Respond Software.

*** This is a Security Bloggers Network syndicated blog from Blog – Respond Software authored by Mike Reynolds. Read the original post at: