AlienVault® USM Anywhere™

Managing Your ServiceNow Incidents

Role Availability Read-Only Analyst Manager

After the AlienApp for ServiceNow is configured and users execute the supported actionsIn USM Anywhere you can execute an action from alarms, events, and vulnerabilities to run a scan, get forensic information, or execute a response for a configured AlienApp. directly or through an orchestration rule, you can easily view a list of the ServiceNow incidents created by USM Anywhere and look at the events, alarms, and vulnerabilities related to the executed actions.

Viewing ServiceNow Incidents Created by USM Anywhere

In USM Anywhere, you can view a list of incidents created by an action applied directly to an alarmAlarms provide notification of an event or sequence of events that require attention or investigation., eventAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall., or vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security., as well as any from actions that were triggered by an orchestration rule. From the list, you can open the incident in your ServiceNow account to view additional information about the incident or make updates to the incident, such as assigning the item to a team member or changing the priority.

To access the ServiceNow incidents

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the AlienApps tab.

    Access the AlienApps page

  3. On the AlienApps page, click the ServiceNow tile.

    Click the ServiceNow tile

  4. Click the tab for the incidents type that you want to display.

    The available incident types depend on the ServiceNow products that are active for the ServiceNow user account configured for the AlienApp.

    Select Service Desk Incidents to view incidents created in the IT Service Management product.

    If your account has the Security Incident Response product enabled, click the Security Incidents tab to view the security incidents created in that product.

    View the ServiceNow incidents associated with USM Anywhere

    The displayed list includes all ServiceNow incidents generated by USM Anywhere, with the most recently opened items at the top. Here you can view the current status and assignment for the incident as reported by your ServiceNow instance.

  5. Click View to open the incident in the ServiceNow UI.

    In ServiceNow, you can assign the issue, change its status, or perform any of the functions supported for your account.

    Click View to launch the ServiceNow UI and open the incident

Filtering the Labeled Alarms and Vulnerabilities

USM Anywhere uses labels as a mechanism to classify alarms and vulnerabilities. These labels make it easy to filter items by label so that you can locate them easily and track their status. When the AlienApp for ServiceNow executes a response action for an alarm or vulnerability, it automatically applies the ServiceNow label to it. You can use this label as a filter so that a page displays data for only those items related to an AlienApp for ServiceNow response action.

To view ServiceNow action alarms or vulnerabilities

  1. Open the Alarms page or Vulnerabilities page.
  2. If the Search & Filters panel is not displayed, click the icon to expand it.

    USM Anywhere includes several filters displayed by default.

  3. Locate the Labels filter and select ServiceNow.

    Use the Labels filter to view items with the ServiceNow label

    If the Labels filter is not displayed, click Configure Filters at the bottom of the Search & Filters panel to configure filters for the page. (See Managing Filters for more information about configuring filters for the page display.)

    In the displayed list, you can scroll the list to the right and view the Labels column.

    Scroll the list to the right to view the Labels column