In order to enable stronger security processes without completely reconfiguring their IT infrastructure, ServiceNow users can escalate tickets to create incidents in D3 when the ticket requires investigation by the SOC team. D3 can ingest ticket information including the assignee, description, priority, and comments, which might include threat intelligence that was added in ServiceNow. ServiceNow has its own script-running platforms, which allow it to trigger actions via D3’s RESTful API.

In organizations where the IT team uses ServiceNow and the SOC team uses D3, D3 can send tickets to ServiceNow to assign IT-related security tasks. These might include blocking an IP, quarantining an endpoint, scheduling a patch, or scheduling a vulnerability scan. The D3 user can set the fields they wish to populate in the ServiceNow ticket, such as the ticket number, priority, IP address, endpoint info, and the assigned user or team. The integration is bidirectional, allowing ServiceNow users to update the incident in D3, such as resolving the incident when the ticket is closed.