View ServiceNow Security App Incidents and Correlating IOCs

The Security Incident Response window displays the list of all the security incidents available in the ServiceNow for your Threat Command alerts. The user can perform the required action for the security incident tickets. Whenever the scheduled job runs, it will import the available alerts from the Threat Command to the Rapid7 Threat Command for Security Incident Response and Threat Intelligence App (ServiceNow Security App) as security incidents. The default status of these security incidents is set to Draft.

Prerequisites:

To view security incidents:

  1. Log in to ServiceNow.
  2. From the left navigation pane, choose Rapid7 ServiceNow Security App > Security Incident Response.

The list of available incidents for the user is displayed:
temporary placeholder

  1. Click the incident number to view the details.

The following fields are imported from the Threat Command alert:

  • Alert ID
  • Alert header
  • Tags
  • Source type
  • Source URL
  • Source date
  • Severity
  • Related IOCs
  • Report date
  • Takedown status
  • Rapid7 Alert: Click this URL to see the alert in the Threat Command Alerts page.
  • Note: Only the ServiceNow system administrator can update the security incidents Out-Of-Box (OOB) fields from the list view.
  • The Threat Command alert screenshot is included as an attachment to the incident.

All the members of the Rapid7 Assignment Group will receive an email whenever a security incident is created.

As the user starts working on security incidents, it is required to update the status accordingly. The following table displays the available status for security incidents:

StatusDescription
DraftThe default status of security incidents created in the ServiceNow.
AnalysisThe security incident is assigned to the Rapid7 group and user.
ContainThe assigned user has started analyzing security incidents.
EradicateThe assigned user is working on the security incident to resolve the issue.
RecoverThe assigned user has been resolved and the user is verifying the operational readiness of the affected system.
ReviewThe security incident has been completed but a post-incident review is required. SeePost Incident Reviews.
ClosedThe security incident is completed. User is required to fill the security incident survey in the Closure Information tab. Once the security incident is completed, an incident review report will be generated in PDF format.

View correlating IOCs

IOCs that are related to Rapid7 alerts are saved as ServiceNow observables. When these observables are active in the ServiceNow environment, you can view the correlation of the IOCs that were sent with the alert to all the ServiceNow tickets that contain these IOCs. temporary placeholder