Summary
This chapter showed you how to create an integration with a solution – in our example, ServiceNow – to provide a single place to process security incidents. It does not matter what alert source the security incident started from or who needs to work on it. There are countless ways to achieve this outcome. We only covered a more common approach in this chapter.
Be creative and focus on simplicity and licensing reduction. For example, if Sentinel does not provide correlation for alerts coming from an alert source because that alert source has very high fidelity, then consider ingesting those alerts directly into ServiceNow and bypassing Sentinel to save on licensing costs and to reduce complexity in your architecture.
We also only scratched the surface of what can be done with a security incident once it is automatically created in ServiceNow Security Incident Response. ServiceNow is not just a workflow and case management solution with fancy forms and dashboards...
