ServiceNow

📘

TL;DR ServiceNow:

To integrate Service and perform searches with Query:

• Generate OAuth2 Client ID and Client Secret from your ServiceNow tenant
• Get the incident table name
• Using above values, configure connection to ServiceNow from your Go Query interface
• Perform searches using the new connection

Overview

ServiceNow is a common solution of choice for the SOC to manage incident workflow. While investigating incidents, analysts collaborate with each other using ServiceNow and capture results, evidence, status, and progress information in the tool. Since it holds the organization’s incident history, ServiceNow also becomes a key data source that analysts would like to search when they start a new investigation. If you are using ServiceNow, you can now query incident data from your tenant.

Prerequisites

Obtain Client ID

Obtain Client Secret

Obtain Incident Table Schema

Adding connection in Query

From the Connections page in Query, add a new connection to ServiceNow, providing your tenant's URL, along with the information obtained above.

Querying from ServiceNow

You can search for incidents in ServiceNow.

Search results will contain:

• relevant incidents from ServiceNow mapped to Security Findings in QDM.
• incident summary information representing incident name, status, assigned to, severity, target device/user, attacker IP.

Resources