The following tables describe permissions for ITSM or SecOps apps and Vulnerability Response.

ITSM or SecOps App Actions Permissions

The ITSM and SecOps Apps support the same actions.

ServiceNow Action Notation Name Permissions
Configuration Profile - Create/Update/Delete org.alerts READ
Configuration Profile - Asset Inventory Ingest device READ
Alert Filtering - Create/Update/Delete org.alerts READ
Incident Creation - Create/Update/Delete org.alerts READ
Field Mapping - Create/Update/Delete org.alerts READ
Scheduling - Create/Update/Delete org.alerts READ
Alert Ingestion - Update org.alerts READ
Bi Directional Sync org.alerts READ
Close Incident and Alert Closure org.alerts.close EXECUTE
Close Alert Manually org.alerts.close EXECUTE
Ban / Unban process hash org.reputations CREATE
Get File from Asset
  • device
  • org.liveresponse.session
  • org.liveresponse.file
  • device: READ
  • org.liveresponse.session: CREATE, READ, DELETE
  • org.liveresponse.file: READ
Put File on Asset
  • device
  • org.liveresponse.session
  • org.liveresponse.file
  • device: READ
  • org.liveresponse.session: CREATE, READ, DELETE
  • org.liveresponse.file: CREATE, READ
Delete File from Endpoint
  • org.liveresponse.session
  • org.liveresponse.file
  • org.liveresponse.session: CREATE, READ, DELETE
  • org.liveresponse.file: READ, DELETE
Close Alerts org.alerts.close EXECUTE
Get Process Metadata org.search.events CREATE, READ
Get Binary Metadata from UBS ubs.org.sha256 READ
Get Endpoint (Asset) Information device READ
Get Enriched Events org.search.events CREATE, READ
Get Running Processes
  • org.liveresponse.session
  • org.liveresponse.process
  • org.liveresponse.session: CREATE, READ, DELETE
  • org.liveresponse.process: READ
Update Endpoint (Asset) Policy device.policy UPDATE
Quarantine / Unquarantine Endpoint device.quarantine EXECUTE
Kill process on an endpoint
  • org.liveresponse.session
  • org.liveresponse.process
  • org.liveresponse.session: CREATE, READ, DELETE
  • org.liveresponse.process: READ, DELETE
Add or remove an IoC to or from a Feed org.feeds CREATE, UPDATE
Download Binary from UBS ubs.org.file READ
Enable/Disable Asset Bypass device.bypass EXECUTE
Get Process Executions by Hash org.search.events READ, CREATE
Ignore an IOC org.watchlists UPDATE
Add a note to an Alert org.alerts.notes CREATE
Get Directory Information
  • device
  • org.liveresponse.session
  • org.liveresponse.file
  • device: READ
  • org.liveresponse.session: CREATE, READ, UPDATE, DELETE
  • org.liveresponse.file: READ
Get Registry Key Information On Asset
  • device
  • org.liveresponse.session
  • org.liveresponse.registry
  • device: READ
  • org.liveresponse.session: CREATE, READ, UPDATE, DELETE
  • org.liveresponse.registry: READ
Manage Registry Key Information
  • device
  • org.liveresponse.session
  • org.liveresponse.registry
  • device: READ
  • org.liveresponse.session: CREATE, READ, UPDATE, DELETE
  • org.liveresponse.registry: CREATE, READ, UPDATE, DELETE
Get External Device Information external-device.manage READ
Close Future Alerts org.alerts.close EXECUTE
Submit Live Query Run livequery.manage CREATE, READ
Approve an external USB device external-device.manage CREATE
Get/Approve/Reject Alert Recommendation org.recommendations CREATE, READ, DELETE
Execute a Custom Script on the Endpoint
  • device
  • org.liveresponse.session
  • org.liveresponse.process
  • device: READ
  • org.liveresponse.session: CREATE, READ, UPDATE, DELETE
  • org.liveresponse.process: EXECUTE

Vulnerability Response Data Ingest Permissions

The Vulnerability Response App requires the following permissions for data ingest:

ServiceNow Action Notation Name Permissions
Configuration Profile - Create/Update/Delete vulnerabilityAssessment.data READ
Configuration Profile - Asset Inventory Ingest device READ
Ingest Vulnerability Data vulnerabilityAssessment.data READ
Ingest Device Data device READ