Under the Lens — ServiceNow

Expanding your organization’s security playbook can appear daunting at times. With so many tools, platforms, and integration options available it’s not always clear where the most immediate benefits lie.

In this month’s edition, we’re taking a closer and more curated look at the ServiceNow suite of security products.

Let's begin with the basics. ServiceNow provides an integrated security and operations platform across key areas:

• Security Operations:

  1. ServiceNow SecOps delivers security incident response, vulnerability management, and threat intelligence in a single platform, connecting security and IT teams for faster resolutions.

  2. ServiceNow Vulnerability Management specifically handles the complete vulnerability lifecycle, from identification to remediation, with risk-based prioritization and automated workflows. ServiceNow NVD integration assists with managing such vulnerabilities.

  3. Security Incident Response (SIR) orchestrates the entire incident response lifecycle, from detection and analysis to containment, eradication, and recovery. SIR automates workflows, facilitates collaboration, and provides a centralized platform for managing security incidents, minimizing their impact, and ensuring timely resolution.
     

• IT Service Management & Infrastructure:

  1. ServiceNow ITSM forms the backbone of IT service delivery, incident management, and change management processes.

  2. Incident Management streamlines the process of recording, classifying, investigating, and resolving incidents, minimizing downtime and service disruptions.

  3. Service Operations Workspace provides a unified, modern interface for IT teams to manage incidents, problems, changes, and other service-related tasks efficiently. It offers real-time dashboards and contextual information for improved productivity.

  4. Asset Management tracks and manages IT assets throughout their lifecycle, from procurement to disposal, ensuring accurate inventory and enabling better decision-making.

  5. At its core, the ServiceNow CMDB (Configuration Management Database) maintains a single system of record for all IT assets and their relationships.

  6. Service Graph Connectors extend this capability by automatically populating and maintaining CMDB data from various sources, ensuring accurate infrastructure visibility.
     

• IT Operations:

  1. ServiceNow ITOM (IT Operations Management) enables service mapping, event management, and operational intelligence, with Discovery and Service Mapping providing comprehensive visibility into IT infrastructure.

  2. ServiceNow integrates with firewall management tools to automate audit processes, generate reports on firewall rule compliance, identify potential security gaps, and ensure adherence to security policies.

     
     

• Platform Security:

  1. ServiceNow Platform Security includes role-based access control, encryption, and audit logging, while Now Platform serves as the foundation for secure application development and workflow automation.

Optimizing ServiceNow Platform Usage:

• Utilize Flow Designer: Easily build automated workflows without coding using Flow Designer's drag-and-drop interface. Create reusable workflows and set up automated processes that start based on specific triggers, performing pre-defined actions. Connect your different business applications using pre-built connectors from Integration Hub.
  

• Data normalization and cleansing: Ensure data quality by implementing data normalization and cleansing processes. The data can be sent to import sets and further transformed via Transform Map for data mapping and normalization. This is crucial for accurate reporting, analytics, and automation.
  
  

• Use REST APIs: Leverage ServiceNow's REST APIs to integrate with other systems and applications.  REST API allows us to insert data into ServiceNow. We can make use of their various built-in endpoints. Rather than using the API for outbound purposes, these APIs are used to send data to ServiceNow. These APIs also allow easy ingestion of webhook/stream data into ServiceNow.
  

• Make use of Service Graph Connectors by fetching information on all assets in your organization. The data is then pushed into ServiceNow CMDB. The data can be leveraged in Security Incident Response and Vulnerability Response and if devices or assets are affected, necessary actions can be taken once the data is added to CMDB.  For Vulnerability Management, in case of vulnerability detection, the Service Graph Connector allows us to find which device(s) is affected.

ServiceNow Integration Best Practices:

• Authentication & Authorization

  • Implement OAuth 2.0 or mTLS instead of basic auth

  • Define granular OAuth roles with specific scopes

  • Maintain regular rotation of API credentials

• Data Management

  • Standardize data models between ServiceNow CMDB and security tools

  • Use Service Graph Connectors for accurate CMDB mapping

  • Implement robust CI identification rules to prevent duplicates

• Event Processing

  • Configure webhooks for significant security events only

  • Implement deduplication for incident creation

  • Set up appropriate rate limiting on both sides

• API Optimization

  • Use pagination for large datasets (e.g., 1000 records per request)

  • Implement bulk synchronization instead of individual calls

  • Monitor and respect API rate limit

  • Outbound API calls should be asynchronous to prevent the ServiceNow Server from waiting for a response.

• Infrastructure

  • Deploy dedicated MID Servers for security integrations

  • Position MID Servers in the respective network zones

  • Enable proper logging and monitoring

  • Implement high availability with redundant endpoints

• Automation

  • Utilize Flow Designer and IntegrationHub for workflows

  • Configure bi-directional updates between systems

  • Implement automated incident triage with decision trees

Security Application and Version Updates

• Splunk Platform's OpenSSL 3 Migration is planned for later in 2025 for both Splunk Cloud and Enterprise, bringing several important changes:

  • Apps will need explicit opt-in for compatibility with the new version through Splunkbase's app release page.

  • Platform upgrades include Python 3.9, NodeJS 20, and exclusive TLS 1.2 support (older SSL/TLS versions deprecated).

  • Testing requirements now mandate validation against the Splunk Enterprise Beta to ensure OpenSSL 3 compatibility.

  • Developers must update incompatible apps by April 2025 to avoid any service disruption.
    
    

• Palo Alto Network’s Cortex XSOAR 8.9 was made generally available in February 2025 with a bunch of updates some of which are mentioned below:

  • Playbooks received a visual refresh and now have collapsible sections for improved navigation.

  • Development tenants now have unlimited user licenses.

  • Other enhancements include bulk actions for retaining incidents, improved War Room filtering, enhanced engine upgrades and broader platform support, better remote repository management, deeper audit logging, Syslog integration for logs and alerts, new Guard Rail alerts, and new administration APIs.

  • Release notes include more details of the update.
    

• OCSF recently released its latest version, v 1.4.0 with the following updates:

  • New Category: "Unmanned Systems" category added.

  • New Event Classes: Several new event classes were added across categories, including "OSINT Inventory Info," "Script Activity," "Drone Flights Activity," "Airborne Broadcast Activity," "Cloud Resources Inventory Info," and "Application Error."

  • New Profile: "incident" profile was added.

  • New Dictionary Attributes: Numerous new attributes were added, including has_mfa, environment_variables, related_cves, exploit_last_seen_time, and attributes to support SBOM data (sbom, author, software_component, etc). Support for unmanned systems data (altitude, speed, location) was added.
    

• Palo Alto Networks' Cortex XSIAM released version 2.5 with security operations updates. Key updates include:

  • Expanded Capabilities: Streamlined SIEM upgrades with bulk data import, enhanced investigations with MITRE ATT&CK TTPs and enriched Causality Forensics Highlights, Prisma Access Browser integration, website data in ASM, and expanded automated exposure remediation.

  • Enhanced Platform: Improved Broker VM visibility and auditing, enhanced version compatibility notifications, additional alert fields in emails, simplified self-service asset management, War Room filtering, custom alert field mapping, new rule tags, protection against malicious ASP/ASPX files, visibility of CVEs without CVSS scores, integration permissions via RBAC, new API capabilities, playbook collapsible sections and visual refresh, role-based access control for integration commands, and more.

You can find more details in their official release notes.

Insights: From Our Integration Factory

• Google SecOps + OT Security: This integration between Google SecOps and OT security solutions enhances threat detection and incident response capabilities within operational technology environments. By ingesting OT security data into Google SecOps, organizations gain a unified view of their security posture across both IT and OT domains. This allows for more comprehensive threat analysis, faster incident investigation, and improved overall security management for critical infrastructure.

  Key Data Streams:

  • Security Logs and Alerts: Captures security events and alerts generated by OT security tools, such as intrusion detection systems, firewalls, and endpoint protection platforms.

  • Asset Inventory and Configuration Data: Imports information about OT assets, including devices, controllers, and network infrastructure, along with their configurations and relationships.

  • Vulnerability and Threat Intelligence: Ingest vulnerability data specific to OT devices and systems, along with threat intelligence feeds.
    
    

• Cortex XSOAR + IoT Security: This integration allows security teams to automate incident response workflows for IoT devices. By connecting Cortex XSOAR with IoT security platforms, organizations can automatically trigger actions based on detected threats or vulnerabilities. This includes actions like isolating compromised devices, patching vulnerabilities, or notifying relevant stakeholders.

This automation accelerates response times, reduces manual effort, and improves the overall security posture of IoT environments.

• ServiceNow Vulnerability Response + OT Security: This integration extends vulnerability management capabilities to operational technology environments. By integrating ServiceNow Vulnerability Response with OT security solutions, organizations can centralize vulnerability data from both IT and OT assets. This consolidated view enables security teams to prioritize and remediate vulnerabilities across the organization, reducing the risk of cyberattacks.
  

• We released Splunk NVD-CVE-Fetcher-App version 1.0.3 in February 2025. This latest version includes an update to the Splunk_SDK to its newest version. The app requires Splunk Enterprise 9.0 or above and allows Splunk administrators to fetch vulnerabilities from the National Vulnerability Database (NVD) into Splunk. It uses a dedicated "nvd_vulnerabilities" index and can be configured with customizable polling intervals. The app supports optional API key authentication and allows users to specify how many historical days of vulnerability data they want to fetch.
  
  The previous version (1.0.2) was released in July 2024 and included updates to internal libraries and the Splunk Addon builder.

To know more about the latest update on the app, you can also check out our blog on NVD-CVE Fetcher App.