ServiceNow Security Operations supports expanded use cases with Agent Client Collector capabilities to help security analysts gather data for investigation. The solution integrates ACC's OSQ and Spoke potential with the security incident capability framework so that security analysts can query OSQ tables including running processes, services, and 270+ other tables for investigation and run commands.
Agent Client Collector Core platform automates security operations center (SOC) tasks for gathering details and enriching data. Security analysts use this enrichment data for their investigations into security incidents. This data also assists analysts with follow-up actions that include isolating systems from the network and searching all endpoints for impact analysis.
The following capabilities are available for this integration:
- Run OSQuery - Customer can run OSQuery on a Security Incident Record. Osquery provides an SQL layer on top of OS tables.
- Run Commands - Customer can run commands on the CI where the Agent Client Collector is installed.
- Get Processes - Gathers process data and relates it to the security incident.
- Get Running Services - Gathers service data and relates it to the security incident.
- Get Network Statistics - Gathers network statistics for the CI associated with the security incident.
- Get System Details - Gathers system details for the CI associated with the security incident.
- Get Logged On Users - Gathers data of logged on users and relates it to the security incident.
- Fixed:
- Bug fixes
Required plugins, products, store apps
- sn_agent (scoped app)
- com.snc.discovery (Visibility/Discovery license)
- sn_acc_spoke (Agent Client Collector Spoke)
- com.snc.si_dep (The Security Incident Response Dependency plugin)
- com.snc.security_support.core (Security Support Core)
- sn_si:12.5.1 (Security Incident Response)
- sn_sec_cmn:12.5.1 (Security Support Common)
- sn_sec_cmn_orch:11.5.0 (Security Support Orchestration)
- sn_sec_int:12.2.1 (Security Integration Framework)
- sn_ti:12.0.7 (Threat Intelligence Support Common)