BlueApp for ServiceNow Actions

As USM Anywhere surfaces events, alarms, and vulnerabilities, your team determines which items require the opening of a new ServiceNow incident. Rather than manually opening each incident ticket in the ServiceNow user interface (UI), you can use the BlueApp for ServiceNow response actions to automatically create a ServiceNow ticket with the Short description and Description fields pre-populated with content from your USM Anywhere environment. The following table lists the available actions from the BlueApp.

Actions for BlueApp for ServiceNow
Action Description

Create New Incident from Alarm Alarms provide notification of an event or sequence of events that require attention or investigation.

Run this action to generate a new ServiceNow incident for an alarm

This action is available when you launch a response action directly for an existing alarm

Create New Incident from Vulnerability A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security.

Run this action to generate a new ServiceNow incident for a vulnerability

This action is available only when you launch a response action directly for an existing vulnerability

Create New Incident from Event Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall.

Run this action to generate a new ServiceNow incident for an event

This action is available only when you launch a response action directly for an existing event

Create New Incident from Orchestration Rule

Run this action to generate a new ServiceNow incident for future events that match your criteria

This action is available only when you launch a response action in an orchestration rule
Create a change request Run this action from an alarm or investigation to generate a change request in ServiceNow
Update Alarm Status Run this action to update the status of an alarm
Pull Events Run this action to pull events from ServiceNow

Upon execution of a response action, USM Anywhere generates the ServiceNow incident and passes the associated information to that new incident ticket.

Note: Before launching a ServiceNow response action or creating a ServiceNow response action rule, the BlueApp for ServiceNow must be enabled and connected to your ServiceNow instance. See Configuring the BlueApp for ServiceNow for more information.

To view information about these actions in USM Anywhere

  1. In USM Anywhere, go to Data Sources > BlueApps.
  2. Click the Available Apps tab.
  3. Search for the BlueApp, and then click the tile.
  4. Click the Actions tab to display information for the supported actions.
  5. Click the History tab to display information about the executed orchestration actions.

Launch Actions from USM Anywhere

You can launch an action directly from alarms, events, or vulnerabilities. If you want to apply an action to similar events that occur in the future, you can also create orchestration rules directly from the action applied to an alarm, event, or vulnerability.

  1. Go to Activity > Alarms, Activity > Events, or Environment > Vulnerabilities.
  2. Click the alarm, event, or vulnerability to open the details.

  3. Click Select Action.

    Click Select Action in the vulnerability details

  4. In the Select Action dialog box, select the ServiceNow tile.

    Select the ServiceNow response action

    This displays the options for the selected response app. The App Action is set automatically according to the item type.

  5. (Optional.) If you have more than one USM Anywhere Sensor configured for the BlueApp for ServiceNow, use the Select Sensor option to set the sensor that you want to use for the action.

  6. Set Service Desk as the Incident Type.

    Set options to create a new ServiceNow incident

  7. (Optional.) Modify the description information for the new incident.

    The BlueApp populates these fields automatically from information in the alarm, event, or vulnerability; however, you can add your own static text in these fields if needed:

    • Short Description: This field contains the subject for the new incident. By default, the BlueApp populates the name of the alarm, event, or vulnerability.

    • Description: This field contains information used to respond to the incident. By default, the BlueApp populates the information according to the item type and provides the source and destination. You might choose to include additional comments here, such as suggestions for the incident response handling.

    Additionally, you can further define the ServiceNow incident parameters that are populated using the Urgency, Impact, and Category drop-down fields. You can use the Assign To field to automatically assign all resulting incidents to a specific user.

    Set the description options for the new ServiceNow incident

  8. Click Run.