The ServiceNow Action Bundle for ThreatQuotient enables a user to create and sync tickets and observables in ServiceNow.  For each indicator, an observable will be created in ServiceNow that will be linked to the newly created ticket.   ThreatQ objects that are not mapped as indicators will be created in ServiceNow and associated attributes mapped to items in ServiceNow.

The integration provides the following action:

• ServiceNow - Create Ticket - creates tickets and observables in ServiceNow based on ThreatQ indicators and objects.
• ServiceNow - Sync Ticket - receives a collection of ThreatQ Incidents or Events to either sync or create tickets in ServiceNow. 
• ServiceNow - Sync Observables - receives a collection of ThreatQ Indicators and creates ServiceNow observables or updates existing ones.

The action is compatible with the following system object types:

• Adversaries
• Assets
• Attack Patterns
• Campaigns
• Course of Actions
• Exploits
• Targets
• Identities
• Indicators
• Intrusion Sets
• Malware
• Reports
• Tools
• TTPs
• Vulnerabilities

The action returns the following enriched object types:

• Adversaries
  • Adversary Attributes
• Assets
  • Asset Attributes
• Attack Patterns
  • Attack Pattern Attributes
• Campaigns
  • Campaign Attributes
• Course of Actions
  • Course of Action Attributes
• Exploit Targets
  • Exploit Target Attributes
• Events
  • Event Attributes
• Identities
  • Identity Attributes
• Incidents
  • Incident Attributes
• Indicators
  • Indicator Attributes
• Intrusion Sets
  • Intrusion Set Attributes
• Malware
  • Malware Attributes
• Reports
  • Report Attributes
• Tools
  • Tool Attributes
• TTPs
  • TTP Attributes
• Vulnerabilities
  • Vulnerability Attributes

Note:  The actions in this bundle are intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.