Today’s security climate requires modern enterprises to operate and scale up at lightspeed to respond to incidents. ServiceNow SecOps offers platform APIs, integration tools, and analytics capabilities that help organizations address security concerns faster by integrating valuable resources inside and outside the enterprise.

SecOps integration kits support broad integrations, automated workflows, orchestrated external systems, and continual security improvements. Consequently, they directly drive business results — and avoid the usual integration boundaries between people, data, systems, and processes!


Several integrations are included with the Security Operations applications, viz., Security Incident Response, Threat Intelligence, and Vulnerability Response.

Securing an organization seamlessly boils down to activating the relevant plugins and configuring the integrations. SecOps also provides guidelines for developing custom integrations! SecOps works flawlessly with third-party tools such as Qualys, Tanium, Cylance, IBM QRadar, Palo Alto Networks, Splunk, and VirusTotal, among others.

How ServiceNow SecOps Integration Works

The ServiceNow SecOps Integration Capabilities framework provides a consistent architecture to support interoperability with third-party integrations. By abstracting the interface and data model, SecOps insulates the core security applications and provides a consistent and predictable user experience.

Any security incident launches the corresponding implementation workflow, which in turn activates the relevant plugins. Workflows can be executed in parallel or sequentially, or in a completely different order if needed.

SecOps Capability Functions
Block Action  Used to contain identified threats by blocking observables associated with a security incident on a firewall, web proxy, or other control point


Email Search and Delete  Identifies the number of threat emails from an email server search with options to get further details or delete the emails


Enrich CI  Enables you to enrich data for configuration items associated with a security incident


Enrich Observable  Contains identified threats by enriching observables with additional information from a variety of sources


Get Network Statistics  Retrieves a list of active network connections from a host or endpoint


Get Running Processes  Retrieves a list of running processes on a configuration item (CI) from a host or endpoint


Isolate Host  Restricts system connections to other devices


Publish to Watchlist  Adds observables and indicators associated with a security incident to a third-party watchlist that monitors for security events and generates alerts


Sightings Search  Accepts a set of observables, finds any integrations that support a Sightings Search, then executes these searches


Threat Lookups  Performs threat intelligence lookups to determine whether one or more observables are associated with known security threats


ServiceNow SecOps Integration Capabilities framework capabilities

For instance, when a Configuration Incident (CI) is added to an open security incident in Security Incident Response in a Tanium endpoint security and systems management implementation, the Get Running Processes workflow is triggered and identifies the running processes for the affected CI.

If your organization uses the Qualys Cloud Platform integration to detect vulnerabilities, you can integrate it with Vulnerability Response. When the third-party Qualys scanner detects vulnerability data, that data is imported to Vulnerability Response for tracking, prioritization, and resolution.

ServiceNow SecOps changes the way organizations look at security by integrating diverse applications on a single platform, automating workflow, removing dependencies on email, spreadsheets and other manual processes to transform the enterprise security space.

Credits: Icons designed by Eucalyp Studio under the Creative Commons 3.0 license.