CrowdStrike Falcon® Offers Plug-and-Play Integration with ServiceNow

February 14, 2018

| Evan Burns | Endpoint Security & XDR

Since the inception of the CrowdStrike Falcon® platform, an API-first approach has always been a key strategy for providing customers with a robust solution that can easily integrate into any existing technology ecosystem. In addition to leveraging APIs directly, a number of native integrations have been made available to joint customers. These plug-and-play integrations allow for immediate value, without the investment of time and resources for development and maintenance. Today, CrowdStrike® is pleased to announce the release of two new integration apps available on the ServiceNow store. ServiceNow is a leading provider of IT Service Management solutions and offers a wide variety of products that many CrowdStrike Falcon® customers use. The two integrations allow for consumption of security alerts from the CrowdStrike Falcon® platform into ServiceNow. Customers only using the ServiceNow ITSM Incident Management module, will simply need to install the “CrowdStrike Falcon® Endpoint” app available on the ServiceNow store site. For customers that are leveraging the added functionality of ServiceNow’s Security Operations module, installing the extension app “CrowdStrike Falcon® Endpoint For Security Operations” in addition to the base app, will allow for the

creation of ServiceNow security incidents as well. If you’re a user of the Security Operations module, there are also two additional plugins made available directly within ServiceNow that provide valuable integration with CrowdStrike.

CrowdStrike Falcon® Intelligence integration — This plugin provides enrichment data for security incidents and associated observables and also allows for intelligence lookup workflows.
CrowdStrike Falcon® Host Integration — This plugin allows you to add observables from a security incident into a watchlist. It uploads the IOCs in question to the Falcon platform for ongoing monitoring and if any activity is identified related to these indicators, a new alert is triggered.

The ServiceNow platform provides a myriad of functionality that supports incident management best practices. By integrating Falcon security alerts into this workflow, customers can benefit from these tools to improve their overall response process.

Today’s security teams frequently need more context in order to perform an accurate risk assessment and understand the business impact of a cyberattack. There is a confluence of factors involved, however, and a critical step in the process is identifying the relevance of the impacted asset. What business services and applications are impacted? What environment does the server operate in? Does it host any sensitive data? The answers to these types of questions are most commonly found in configuration management databases (CMDB), with ServiceNow being the leader in this space. Joint customers can now consume Falcon alerts into the ServiceNow platform and immediately gain this crucial context, allowing for a timely and holistic assessment of any endpoint security threat. This integration provides CrowdStrike customers with the following benefits:

Centralized workflow and tracking of security incidents
Increased context provided by correlation with attributes from CMDB and other open incident records
Improved capabilities for incident prioritization and notification.

To get started, head over to the ServiceNow Store. After installing these applications, you can enter your API credentials to start consuming data from the Falcon platform immediately.

For additional details on using these integrations, check out the demo video on the CrowdStrike YouTube channel. Learn more about the CrowdStrike Falcon® next-gen endpoint protection platform.