That is what we have discovered a couple of weeks into the live implementation at the retail based customer that I wrote about last week. Linking EM and SecOps makes it possible to roll up multiple Events and Alerts into a single Security Incident and that saves precious threat responder time.
In our initial design, we were not convinced that it was best to connect Event Management and Security Operations. As we progressed, it became clear that our customer’s process flow fit very well with how the combined functionality works. In this case Events create Alerts and then these Alerts are rolled up into Security Incidents. There are some limitations on which integrations in SecOps can write to the Event or Alert tables and so many customers have not taken advantage of the feature. I believe this may be the first customer using this specific SIEM integration to create Alerts rather than Security Incidents.
The SEIM integration is working well for both the Event and Security Incident tables. What’s more, writing an Event, not a Security Incident, from a SIEM seems like a better process now that we’re seeing data flow live. Here’s an example. On the first full go live week we experienced a storm of events all targeted at the same IP with the same attack type. This generated dozens of Events. ServiceNow’s grouping logic recognized those as related and created only a single Alert. From there the customer was able create just a single security Incident to assign, work and solve. Had they not been able to take advantage of the integrated EM functionality, they would have ended up with dozens.