Playbook of the Week: ServiceNow Ticket Mirroring with Cortex XSOAR

Working across multiple platforms to handle your daily operations and services is anything but efficient. With the rise in major cybersecurity incidents, security teams need a quick and efficient incident response plan to mitigate any risks or delays. 

Incident response (IR) teams use ticketing systems as part of the communication process to create trackable reports for every incident. In a typical incident management scenario, once a case is opened, a documented response is followed, which includes instructions such as who to alert, what systems to review, what actions to take, and anything else that is a manual or automated effort. As the steps are performed, the case management system needs to be updated so that everything is tracked. 

This allows anybody who is involved in the case to know what has already occurred and what items are still outstanding. Often, as impacted assets are discovered, the IR team needs to list the details of the assets, such as time and date of when the findings occurred, to help scope out the situation. Then as new people are added to the ticketing process, proper communication needs to be executed so that they are updated and briefed on all the details of the case.

With Cortex XSOAR, managing your ticketing processes and IT operations is now easier than ever with our integration with ServiceNow. The ServiceNow IT Service Management (ITSM) content pack modernizes the way you manage and deliver services to your users. Cortex XSOAR interfaces with ServiceNow to help teams streamline security-related service management and IT operations. The data in ServiceNow tickets can be mirrored to Cortex XSOAR so you can track the status and information in the task. You can also provide comments or attachments in XSOAR which will appear in ServiceNow.


How the Cortex XSOAR ServiceNow Content Pack Works

The Cortex XSOAR ServiceNow content pack includes various playbooks to create ServiceNow tickets, incident mirroring to mirror data, and ticket state polling to track when the ticket closes. It allows you to view, create, update, or delete a ServiceNow ticket directly from Cortex XSOAR. It also enriches it with data and manages Security Incident Response (SIR) tickets.

The content pack also includes two out-of-the-box layouts for a more concise visualization of the ServiceNow ticket information within Cortex XSOAR. The layout can be added as a new tab to existing layouts on your screen, reducing the need to toggle between multiple interfaces.

Phishing Use Case - ServiceNow
A new ServiceNow ticket will be ingested in Cortex XSOAR via the Mirror ServiceNow Ticket Playbook

The primary playbook within the content pack is the Mirroring Integration playbook, which allows you to mirror incidents, create new tickets, and manage cases directly from ServiceNow. When mirroring incidents, you can make changes in ServiceNow that will be reflected in Cortex XSOAR, or vice versa, allowing you to manage ServiceNow tickets in Cortex XSOAR. The content pack enables out-of-the-box incoming and outgoing mirroring and continuously syncs data between ServiceNow and Cortex XSOAR. This includes the ServiceNow database schema from the integration, which brings all of the available fields, comments, work notes, files and attachments from either of the systems which will then be available in the other system.

Ticket state polling or field polling is another optional sub-playbook within the pack that will poll for the state (indicated in the ServiceNow State field of the ticket) once the ticket has been marked as resolved or closed, as seen below.

Playbook triggered, inputs/outputs
FieldPolling Sub-playbook within the ServiceNow Mirror ServiceNow Ticket Playbook

For more information on the ServiceNow Content Pack, refer to the developer article here and here for a deeper understanding of the Mirror ServiceNow Ticket playbook.

Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC. 

Please Suggest Other Ideas or Vote!

If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page: