AlienApp for ServiceNow Actions

As USM Anywhere surfaces events, alarms, and vulnerabilities, your team determines which items require the opening of a new ServiceNow incident. Rather than manually opening each incident ticket in the ServiceNow user interface (UI), you can use the AlienApp for ServiceNow response actions to automatically create a ServiceNow ticket with the Short description and Description fields pre-populated with content from your USM Anywhere environment. The following table lists the available actions from the AlienApp.

Actions for AlienApp for ServiceNow
Action Description

Create New Incident from Alarm Alarms provide notification of an event or sequence of events that require attention or investigation.

Run this action to generate a new ServiceNow incident for an alarm

This action is available when you launch a response action directly for an existing alarm

Create New Incident from Vulnerability A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security.

Run this action to generate a new ServiceNow incident for a vulnerability

This action is available only when you launch a response action directly for an existing vulnerability

Create New Incident from Event Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall.

Run this action to generate a new ServiceNow incident for an event

This action is available only when you launch a response action directly for an existing event

Create New Incident from Orchestration Rule

Run this action to generate a new ServiceNow incident for future events that match your criteria

This action is available only when you launch a response action in an orchestration rule

Create a change request Run this action from an alarm or investigation to generate a change request in ServiceNow
Update Alarm Status Run this action to update the status of an alarm
Pull Events Run this action to pull events from ServiceNow

Upon execution of a response action, USM Anywhere generates the ServiceNow incident and passes the associated information to that new incident ticket.

Note: Before launching a ServiceNow response action or creating a ServiceNow response action rule, the AlienApp for ServiceNow must be enabled and connected to your ServiceNow instance. See Configuring the AlienApp for ServiceNow for more information.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

You can launch an action directly from alarms, events, or vulnerabilities. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm, event, or vulnerability.