ServiceNow Integration: Maximizing Automation for Incident Detection and Remediation

Mike Reynolds
by Mike Reynolds
category Product
tags cybersecurity, Security Automation, Security Operations Center

Automation is becoming more and more prevalent and sought after by Security Operations Centers (SOC).  This is driven by the increasing cybersecurity skills gap, intensified by the volume of security data and events that require analysis.  To address this, SOC teams are looking at how they can integrate multiple tools from different vendors to handle the large volume of events and maximize automation benefits along the way.

However, in our interactions with customers, we are finding a great deal of frustration for organizations that are trying to integrate their tools.  Much of this frustration comes from the siloed nature of these tools and the inability to aggregate the volume of data and events that are generated from security sensors.  Not to mention the correlation and decision-making that needs to happen to find malicious behavior.  When their tools don’t work together, organizations miss out on the automation benefits for incident remediation.

Exacerbating this frustration is the sheer amount of time, effort and cost it takes to write playbooks for some of these tools.  Additionally, playbooks must be maintained over time to keep up with the latest Tactics, Techniques and Procedures (TTP) that are constantly changing.

As we announced last fall, the Respond Analyst integrates with ServiceNow.  This integration allows Respond to handle the heavy lifting of monitoring, triaging and scoping security alerts. Once incidents are identified and false positives are suppressed, the Respond Analyst forwards malicious incidents that require remediation and users can leverage the workflows and remediation processes they have already built out in ServiceNow.

Increasing the Value of Existing Systems through Extended Detection and Response (XDR)

The Respond Analyst, an XDR Engine from Respond Software, enables organizations to unlock the true automation capabilities of their SOAR deployments by managing the up-front analysis and triage of events before they are passed to other systems.  The Respond Analyst is scalable to handle millions of events, escalating actionable and malicious incidents, while filtering out false positives.  However, unlike other tools, the Respond Analyst does not require coding, customization or maintenance.  Leveraging the Respond Analyst with other security systems reduces attack dwell time, remediates security issues faster and elevates analyst collaboration.

The Respond Analyst and ServiceNow Integration

As new incidents are created in the Respond Analyst, it can be configured to make API calls to any ServiceNow application using the Account specified in the integration's configuration settings, pushing all the fields mapped in the 'Import Web Service.'  The security analyst does not need to manually open a case in ServiceNow and populate it with relevant information, as that process is automated.  The Respond Analyst executes this process when an incident is detected and continues to update the case in ServiceNow if and when new events are scoped into that incident.   

When a Respond Incident is updated with new information, the Respond Analyst will update the incident in ServiceNow.

The Respond Analyst includes the ServiceNow case number and links back to the incident in the ServiceNow console.

Links back to the Respond Analyst incident are included in the data pushed to ServiceNow. These can be used to access incident details and close the incident proactively in the Respond Analyst if desired.

On an on-going basis, the Respond Analyst will request the status of incidents in ServiceNow, and if an incident in ServiceNow is closed, the Respond Analyst will close the corresponding incident. If the user has defined the optional settings to return the *FEEDBACK* values, those will be used to close the incident. If those are not set, the incident will be closed with a resolution of "Inconclusive" in the Respond Analyst.

If a user closes an incident in the Respond Analyst UI, Respond will not close the incident in ServiceNow and will stop requesting the status of that incident in ServiceNow.


The Respond Analyst investigates, scopes, triages, correlates events, and integrates with ServiceNow applications.  The Respond Analyst enables security analysts to stop looking at consoles all day and start investigating incidents, an improved use of their time. The combination of the Respond Analyst and ServiceNow will result in reduced attack dwell time for customers that have or are considering using these solutions.

For more information:

Is the Respond Analyst a SOAR Tool?

Putting the Automation into SOAR