Creating ServiceNow Response Action Rules

Role Availability Read-Only Investigator Analyst Manager

You can create orchestration rules in USM Anywhere that automatically trigger a ServiceNow response action when events Any traffic or data exchange detected by LevelBlue products through a sensor or external devices such as a firewall., alarms Alarms provide notification of an event or sequence of events that require attention or investigation., or vulnerabilities A known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. match the criteria that you specify. For example, you might create a rule where USM Anywhere automatically creates a new ServiceNow incident when malware is detected so that a member of your response team can manage and address the issue.

Note: Before creating a ServiceNow response action rule, the BlueApp for ServiceNow must be enabled and connected to your ServiceNow instance. See Configuring the BlueApp for ServiceNow for more information.

After you create a rule, new events, alarms, or vulnerabilities that match the rule conditions will trigger the ServiceNow response action to create a new incident. The rule does not trigger for existing events, alarms, or vulnerabilities.

You can create a new rule the following way:

  • From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules.

    In the left navigation menu, go to Settings > Rules > Orchestration Rules. Then click Create Orchestration Rule > Response Action Rule to define the new rule.

    Create a new response action rule

To define a new ServiceNow response based on orchestration

  1. Enter a name for the rule.

  2. Select ServiceNow for Action Type and Create a new incident for App Action.

  3. Set Service Desk as the Incident Type.

    Create a new action response rule.

    USM Anywhere uses the title of the alarm, event, or vulnerability that triggers the rule to populate the short description of the incident.

    For a description of the incident, you can decide which fields to use by selecting the checkboxes as follows:

    • Include Fields: Select the checkboxes to include any of the information fields in your incident.
    • Alarms: Select the checkboxes to include any of these fields from an Alarm in your incident.
    • Events: Select the checkboxes to include any of these fields from an Event in your incident.
    • Vulnerabilities: Select the checkboxes to include any of these fields from a Vulnerability in your incident.
    • Additional Comments: Enter any additional information that you want to include in the notes field of the ServiceNow incident.

    Note: The checkboxes are determined by those you selected on the Data Sources > Integrations > ServiceNow > Settings page when configuring the BlueApp.

    Additionally, you can further define the ServiceNow incident parameters that are populated by using the Urgency, Impact, and Category drop-down fields.

    You can use the Assign To field to automatically assign all resulting incidents to a specific user. Use the drop-down list to select the correct user.

  4. (Optional.) Set the appropriate mapping template using the Template dropdown.

    Note: The templates available to you are determined by your app's configurations under Mapping Templates. See Configure ServiceNow Fields to Map to Equivalent USM Anywhere Fields for more information about using and configuring these templates.

  5. At the bottom of the dialog box, set the rule condition parameters to specify the criteria for a matching alarm or event to trigger the rule.

    Set the matching conditions for triggering the rule

    • This section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
    • If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
    • At the bottom of the dialog box, click More to display the optional multiple occurrence and window-length parameters.
  6. Click Save Rule.
  7. In the confirmation dialog box, click OK.