This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Specific security incidents should be sent to Service Now tool not all incidents from RSA Netwitness

KushagraSharma2
New Contributor
New Contributor

‎2021-03-11 06:21 AM

Hello Team,

 

This enhancement request is for creating specific Incidents into Service Now after integrating RSA Netwitness with Service Now tool. Please incorporate the same in next release for the ease of use.

 

We don’t want each and every incident to be replicated to Service Now as an when they are triggered in RSA Netwitness.

 

Post analysis, if the analyst finds it to be a True Positive incident which requires remediation should only be created in Service Now simply by right clicking on that specific incident and clicking “Create Service Now” incident.

 

Steps should be simple like:

1). Go to Respond --> Incidents tab
2). Choose the Incident ID which we want to send to Service Now --> Right click on the incident ID
3). Click the option something like "Create Service Now" incident and automatic incident can be created in Service Now with relevant fields populated.

 

Thanks and Regards

Kushagra Sharma

0 Likes
1 REPLY 1

ChrisIchelson
Occasional Contributor
Occasional Contributor

‎2021-03-21 09:01 AM

So we do this with SOAR, so assuming the API for ServiceNow works in a similar phase.  RSA offers two ways to collect incidents form the API, one is data range, one is specific to the incident number.  If I were building your use-case I would use the alerts feature for reporting and incident management.  I would use the incidents tab for escalation management therefore you can pull by date range via the API and that will help avoid missing any critical escalations.....We do it in a similar way with SOAR.  In the SOAR you can also tag based on concentrator and then drop based on this data as well or hide etc...  I dont use ServiceNow but the RSA api is robust but yet limited to specifics with the pulls of the incidents.  

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.