Documentation Center
AlienVault® USM Anywhere™

Managing Your ServiceNow Incidents

  Role Availability   Read-Only   Analyst   Manager

After the AlienApp for ServiceNow is configured and users execute the supported actionsIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. directly or through an orchestration rule, you can easily view a list of the ServiceNow incidents created by USM Anywhere and look at the events, alarms, and vulnerabilities related to the executed actions.

Viewing ServiceNow Incidents Created by USM Anywhere

In USM Anywhere, you can view a list of incidents created by an action applied directly to an alarmAlarms provide notification of an event or sequence of events that require attention or investigation., eventAny traffic or data exchange detected by AlienVault products through a Sensor, or through external devices such as a firewall., or vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security., as well as any from actions that were triggered by an orchestration rule. From the list, you can open the incident in your ServiceNow account to view additional information about the incident or make updates to the incident, such as assigning the item to a team member or changing the priority.

To access the ServiceNow incidents

  1. In USM Anywhere, go to DATA SOURCES > INTEGRATIONS.
  2. Click the AlienApps tab.

    Access the AlienApps page

  3. In the AlienApps page, click the ServiceNow tile.

    Click the ServiceNow tile

  4. Select the tab for the incidents type that you want to display.

    The available incident types depend on the ServiceNow products that are active for the ServiceNow user account configured for the AlienApp.

    Select Service Desk Incidents to view incidents created in the IT Service Management product.

    If your account has the Security Incident Response product enabled, select the Security Incidents tab to view the security incidents created in that product.

    View the ServiceNow incidents associated with USM Anywhere

    The displayed list includes all ServiceNow incidents generated by USM Anywhere, with the most recently opened items at the top. Here you can view the current status and assignment for the incident as reported by your ServiceNow instance.

  5. Click the View link to open the incident in the ServiceNow UI.

    In ServiceNow, you can assign the issue, change its status, or perform any of the functions supported for your account.

    Click View to launch the ServiceNow UI and open the incident

Filtering the Labeled Alarms and Vulnerabilities

USM Anywhere uses labels as a mechanism to classify alarms and vulnerabilities. These labels make it easy to filter items by label so that you can locate them easily and track their status. When the AlienApp for ServiceNow executes a response action for an alarm or vulnerability, it automatically applies the ServiceNow label to it. You can use this label as a filter so that a page displays data for only those items related to an AlienApp for ServiceNow response action.

To view ServiceNow action alarms or vulnerabilities

  1. Open the Alarms page or Vulnerabilities page.
  2. If the Search & Filters panel is not displayed, click the Filter icon () to expand it.

    USM Anywhere includes several filters displayed by default.

  3. Locate the Labels filter and select the ServiceNow label.

    Use the Labels filter to view items with the ServiceNow label

    If the Labels filter is not displayed, click the Configure Filters link at the bottom of the Search & Filters panel to configure filters for the page. (For more information about configuring filters for the page display, see Managing Filters.)

    In the displayed list, you can scroll the list to the right and view the LABELS column.

    Scroll the list to the right to view the Labels column