AlienVault® USM Anywhere™

Launching a ServiceNow Response Action

Role Availability Read-Only Analyst   Manager

When you review the information in the Alarm Details, Event Details, or Vulnerability Details, you can easily launch an actionIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. to send a request to your connected ServiceNow instance to create a new incident ticket based on that item. If you want to apply an action to similar events that occur in the future, you can also create an orchestration rule after you apply the action.

Note: Before launching a ServiceNow response action, the AlienApp for ServiceNow must be enabled and connected to your ServiceNow instance. For more information, see Configuring the AlienApp for ServiceNow .

To launch a ServiceNow response action for an alarm, event, or vulnerability

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.
  3. Click Select Action.

    Click Select Action in the vulnerability details

  4. In the Select Action dialog box, select the ServiceNow tile.

    Select the ServiceNow response action

    This displays the options for the selected response app. The App Action is set automatically according to the item type.

  5. (Optional.) If you have more than one USM Anywhere Sensor configured for the AlienApp for ServiceNow, use the Select Sensor option to set the sensor that you want to use for the action.
  6. Set the Incident Type for the new incident.

    The available incident types depend on the ServiceNow products that are active for the ServiceNow user account configured for the AlienApp. Use the Service Desk type to open a service desk incident in the IT Service Management product. If your account has the Security Incident Response product enabled, you can use the Security type to open a security incident.

    Set options to create a new ServiceNow incident

  7. (Optional.) Modify the description information for the new incident.

    The AlienApp populates these fields automatically from information in the alarm, event, or vulnerability. However, you can add your own static text in these fields if needed:

    • Short Description: This field contains the subject for the new incident. By default, the AlienApp populates the name of the alarm, event, or vulnerability.
    • Description: This field contains information used to respond to the incident. By default, the AlienApp populates the information according to the item type. You might choose to include additional comments here, such as suggestions for the incident response handling.

    Set the description options for the new ServiceNow incident

  8. Click Run.

    After USM Anywhere initiates the action for an alarm or event, it displays a confirmation dialog box.

    You can create a rule to launch a ServiceNow response action for similar items

    If you want to create a rule to apply the action to similar items that occur in the future, click Create rule for similar alarms or Create rule for similar events and define the new rule. If not, click OK.