ServiceNow is a platform that provides workflow automation for a variety of operational and management use cases primarily targeting IT and security teams.

Integrating telemetry and response actions from the Carbon Black Cloud into ServiceNow streamlines security processes by providing built-in endpoint context and response actions in a single pane of glass. With full incident management capabilities and long term record keeping, security teams leveraging the Carbon Black Cloud Apps for ServiceNow can streamline coordination within the SOC during incidents and reduce friction in their team.

Carbon Black Cloud alerts in ServiceNOW


  • Automated Ticket Creation and Lifecycle Management.
  • Ingest and manage Carbon Black Cloud alerts in ServiceNow.
  • Automatically ingest Carbon Black Cloud alerts and other inputs into ServiceNow.
  • Populate ServiceNow tickets with data from Carbon Black Cloud.
  • Sync updates across both consoles when tasks are changed or completed.

Automate incident response actions in ServiceNow

  • Leverage built-in response actions to orchestrate endpoint remediation from within ServiceNow.
  • Perform core response actions, including quarantine endpoint, ban hash, get processes and kill process, from within ServiceNow.
  • Pivot directly into the Carbon Black Cloud console for deeper investigations.

Integration Apps

Depending on what features you have with ServiceNow, Carbon Black offers three main integration apps.

  • ITSM App: When an alert occurs in Carbon Black Cloud, create a ticket in ServiceNow. The Carbon Black Cloud integration with the ServiceNow IT service management (ITSM) module provides endpoint device context and metadata within tickets to streamline IT workflows and reduce manual data collection.
  • SecOps App: When an alert occurs in Carbon Black Cloud, create an incident in ServiceNow. The Carbon Black Cloud integration with the ServiceNow SecOps module provides access to additional endpoint response actions, threat intelligence and metadata to contextualize and accelerate security investigations.
  • Vulnerability Response (VR) App: Periodically ingest Vulnerability information identified by Carbon Black Cloud, and the related Device metadata from Carbon Black Cloud into Service Now. The VR App can be used in addition to the SecOps or ITSM app, or stand-alone.
  • All apps have a reliance on the Base App, which is used to integrate Carbon Black Cloud with ServiceNow and integrate relevant endpoint alerts and context directly into ServiceNow ticketing and incident workflows. The Base app is automatically installed when installing the ITSM app, SecOps app, or Vulnerability Response App.


  • Access to Carbon Black Cloud
  • ServiceNow
    • Utah, Vancouver, and Washington DC are the supported versions.
    • ServiceNow ITSM or ServiceNow SecOps to run the ITSM or SecOps apps
  • ServiceNow Plugins
    • Domain Support - Domain Extensions Installer
    • Vulnerability Response
Note: This app has not been reviewed for FedRAMP Compliance for use in the AWS GovCloud (US) environment.

ServiceNow App Downloads

Download from the ServiceNow App Store.

Support and Resources

  • Report bugs and change requests to Broadcom Carbon Black Support.
  • View all API and integration offerings on the Developer Network together with reference documentation, video tutorials, and how-to guides.
  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.