The Google Threat Intel & SIR Integration for ServiceNow brings alert ingestion, security incident automation, and observable enrichment into a single, unified workflow. It enables security teams to ingest high-fidelity DTM (Detection & Threat Management) and ASM (Attack Surface Management) alerts from Google Threat Intelligence (GTI)—which blends Mandiant's frontline insights, VirusTotal's vast malware data, and broader Google visibility—and automatically create Security Incidents in ServiceNow for streamlined triage.
The integration also supports scheduled fetching of Indicators of Compromise (IoCs) from GTI, created as observables within ServiceNow. Analysts can enrich these observables with unparalleled context, perform threat lookups, and submit files for sandbox analysis without switching platforms. Additionally, security incident state updates in ServiceNow automatically sync back to the GTI platform for full lifecycle management.
This app reduces manual investigation, provides unparalleled visibility across threat data, and enables faster detection-to-resolution workflows—ideal for SOC teams, threat intel analysts, and incident responders seeking an actionable, intelligence-led defense.
- Ingest filtered DTM and ASM alerts from GTI into ServiceNow
- Create custom table records for each DTM/ASM alert
- Automatically generate Security Incidents and link them to the respective custom DTM/ASM records
- Scheduled fetching of IoC streams and automatic creation of observables
- Run threat lookups, enrichment, and sandbox submissions directly in ServiceNow
- Sync incident state changes back to GTI for lifecycle alignment
Brand new integration to ingest filtered DTM and ASM alerts from Google Threat Intelligence into ServiceNow by creating records in custom table and attaching them to ServiceNow Security Incidents. IoCs are fetched on a schedule and created as observables in ServiceNow, enabling enrichment, threat lookups and sandbox submission. Security Incident status updates are synced back to GTI for complete incident lifecycle tracking.
All the dependency plugins should be installed.