ReversingLabs integration with ServiceNow Security Incident Response streamlines and accelerates threat investigation workflows. Through this integration, ReversingLabs performs automatic enrichment of observables — file hashes, URLs, domains, and IP addresses. Each enriched observable is tagged with critical context such as the ReversingLabs verdict (malicious, suspicious, known, or unknown) and the associated threat name, enabling analysts to quickly prioritize and triage incidents without pivoting to external tools. Analysis results are also added as a note to each observable. Additionally, the integration supports automated analysis of suspicious files uploaded through ServiceNow's Upload Secure File Attachments feature, allowing files attached to security incidents to be submitted to ReversingLabs for deep inspection. This combination of real-time enrichment and file analysis ensures that security teams have high-fidelity, actionable intelligence embedded directly in their incident response workflow.
Bring ReversingLabs Threat Intelligence Into Your SOC Workflow
Security analysts working security incidents in ServiceNow SIR often encounter observables — file hashes, domains, IP addresses, URLs — with no context. Manually querying external threat intelligence platforms is time-consuming and breaks analyst flow.
The ReversingLabs SIR Integration closes that gap. It automatically enriches observables with threat intelligence from ReversingLabs Spectra Analyze the moment they are created, giving analysts immediate context without leaving ServiceNow.
Automatic Enrichment
Observables are enriched automatically on creation via a background business rule. No analyst action required.
5 Observable Types Supported
- File hashes (MD5, SHA-1, SHA-256)
- Domains
- IP addresses (IPv4 and IPv6)
- URLs
- Binary files (with optional upload mode)
File Upload & Deep Analysis (optional)
Enable binary file upload to submit unknown files directly to ReversingLabs Spectra Analyze for deep malware analysis. Supports files up to 100MB with asynchronous processing and automatic status polling.
Observable Cascade
Domain enrichment automatically creates child IP and subdomain observables from DNS records, building a complete picture of an indicator’s infrastructure.
Complete Audit Trail
All enrichment activity is logged to a dedicated integration logs table, with full queue lifecycle tracking for file upload jobs.
Zero Code Configuration
All settings are configured via ServiceNow system properties. API key, URL, and feature flags are all property-driven.
About ReversingLabs
ReversingLabs provides enterprise-scale threat intelligence and file analysis. The Spectra Analyze platform delivers malware detection, software composition analysis, and threat hunting capabilities trusted by security teams worldwide.
Support Information
Support URL: https://support.reversinglabs.com
- ServiceNow Zurich or later (Orlando+ supported)
- Security Incident Response (SIR) plugin active
- ReversingLabs Spectra Analyze subscription with API access
- Outbound HTTPS access to your ReversingLabs instance
- Analysts/Users must have the sn_si.user role to access the SIR Workspace.
- Admins must have the sn_si.admin or admin role to configure the integration.
See INSTALLATION_GUIDE.docx to configure and start services after install.