AlienApp for ServiceNow Actions

As USM Anywhere surfaces events, alarms, and vulnerabilities, your team determines which items require the opening of a new ServiceNow incident. Rather than manually opening each incident ticket in the ServiceNow user interface (UI), you can use the AlienApp for ServiceNow response actions to automatically create a ServiceNow ticket with the Short description and Description fields pre-populated with content from your USM Anywhere environment. The following table lists the available actions from the AlienApp.

Actions for AlienApp for ServiceNow
Action Function

Create a new incident from an alarm Alarms provide notification of an event or sequence of events that require attention or investigation.

Run this action to generate a new ServiceNow incident for an alarm.

This action is available when you launch a response action directly for an existing alarm.

Create a new incident from a vulnerability A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security.

Run this action to generate a new ServiceNow incident for a vulnerability.

This action is available only when you launch a response action directly for an existing vulnerability.

Create a new incident from an event Any traffic or data exchange detected by AT&T Cybersecurity products through a sensor or external devices such as a firewall.

Run this action to generate a new ServiceNow incident for an event.

This action is available only when you launch a response action directly for an existing event.

Create a new incident from event based orchestration rule

Run this action to generate a new ServiceNow incident for future events that match your criteria.

This action is available only when you launch a response action in an orchestration rule.

Create a change request Run this action from an alarm or investigation to generate a change request in ServiceNow.

Upon execution of a response action, USM Anywhere generates the ServiceNow incident and passes the associated information to that new incident ticket.

Note: Before launching a ServiceNow response action or creating a ServiceNow response action rule, the AlienApp for ServiceNow must be enabled and connected to your ServiceNow instance. See Configuring the AlienApp for ServiceNow for more information.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

You can launch an action directly from alarms, events, or vulnerabilities. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm, event, or vulnerability.

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.

  3. Click Select Action.

    Click Select Action in the vulnerability details

  4. In the Select Action dialog box, select the ServiceNow tile.

    Select the ServiceNow response action

    This displays the options for the selected response app. The App Action is set automatically according to the item type.

  5. (Optional.) If you have more than one USM Anywhere Sensor configured for the AlienApp for ServiceNow, use the Select Sensor option to set the sensor that you want to use for the action.

  6. Set Service Desk as the Incident Type.

    Set options to create a new ServiceNow incident

  7. (Optional.) Modify the description information for the new incident.

    The AlienApp populates these fields automatically from information in the alarm, event, or vulnerability; however, you can add your own static text in these fields if needed:

    • Short Description: This field contains the subject for the new incident. By default, the AlienApp populates the name of the alarm, event, or vulnerability.

    • Description: This field contains information used to respond to the incident. By default, the AlienApp populates the information according to the item type and provides the source and destination. You might choose to include additional comments here, such as suggestions for the incident response handling.

    Additionally, you can further define the ServiceNow incident parameters that are populated using the Urgency, Impact, and Category drop-down fields. You can use the Assign To field to automatically assign all resulting incidents to a specific user.

    Set the description options for the new ServiceNow incident

  8. Click Run.