This topic describes ServiceNow use cases.

  • Automate alert triage and ticket creation
  • Ticket enrichment with endpoint device context
  • Orchestrate and standardize incident response tasks
  • CMDB enrichment with Endpoint Device Context
  • Create Vulnerability items and link them to items in the CMDB

Carbon Black Cloud Alert Ingestion

  • Control which alerts are brought into ServiceNow from Carbon Black Cloud using the Alerts v7 API.
  • Customize which alerts create incidents based on incident creation criteria and alert aggregation criteria.
  • Specify field mappings to populate ServiceNow Incidents with Carbon Black Cloud Alert metadata.
  • ServiceNow admins can control which SOAR actions are available for each user group.
  • Bi-directional syncing of alerts between systems, including notes.
  • SOAR Actions, across context, remediation, and orchestration use cases.

ServiceNow data collection screen

Multi-tenancy

Domain separation to configure ingestion and isolation of Alerts data from multiple Carbon Black Cloud organizations.

Streamlined ServiceNow ITSM Incident Creation and Lifecycle Management

  • Automated and manual ServiceNow ITSM Incident ticket creation based on Carbon Black Cloud Alerts.
  • Customizable field mappings between Carbon Black Cloud Alerts and ServiceNow ITSM Incident tickets.
  • Automated, bi-directional updates between Carbon Black Cloud and ServiceNow for alerts, updates, and closure.

Ingest Vulnerability Information

Ingest vulnerability information from Carbon Black Cloud.

SOAR Capabilities

Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.
  • Built-in context and remediation actions for Security Orchestration, Automation, and Response (SOAR) workflows.
  • Automated logging and record keeping of incident response actions in ITSM Incident ticket work notes.
  • Control which SOAR actions are available for each user group.
  • Perform the following SOAR actions in ServiceNow:
    • Search and Context
      • From Alert:
        • Search for Process Metadata
        • Search for Enriched Events
        • Get Binary Metadata From UBS
        • Download Binary from UBS
        • Search For Process Executions by Hash
      • From Alert or Device
        • Search for Running Processes
        • Get Endpoint Info including OS, sensor version and state and last check in time
        • Get File From Endpoint
    • Remediation
      • From Alert:
        • Ban and Unban a Process Hash
        • Add (or remove) an IOC to (from) Feed
        • Ignore an IOC
        • Approve or Reject Policy Recommendations
        • Approve External USB Device
      • From Alert or Device
        • Delete File on Endpoint
        • Quarantine and Unquarantine Endpoint
        • Update Endpoint Policy
        • Kill a Process on an Endpoint
        • Enable and Disable Bypass on an Asset
        • Manage Registry Key Information
        • Get Directory Information
        • Submit Live Query Run
        • Execute a Custom Script
      • From Vulnerability
        • Get Vulnerable Endpoints
    • Orchestration
      • From Alert
        • Close Alerts
        • Add a Note to an Alert
        • Close all Future Alerts