ServiceNow - Legacy
Purpose
This document provides set up information on the ServiceNow integration.
Introduction
ServiceNow is a cloud service that can handle many different needs within a company. Some of its features are:
- Ticket system
- CMDB
- Discovery server
- Security management
When ServiceNow is enabled, it will be visible as a ticket system in Assign Task, and Event Notifications. It also adds an option of importing targets from ServiceNow and activating events and tools for adding tickets. If you disable ServiceNow, the targets will no longer update or scan via ServiceNow until you enable it again.
Ticket system
A ServiceNow ticket created for a finding will be added as an Incident with target and script information and solution to the finding will be added as Problem. Synchronization between ServiceNow and OUTSCAN/HIAB is periodic. This may cause some delay in the update. With the ticket system, we recommend using old scans to add tickets that you want to get started, and then add the events you want for future scans.
Terminology
Outpost24 and ServiceNow describe events differently.
| Outpost24 Term | ServiceNow Term | Description |
|---|---|---|
| Asset | - | Assets in Outpost24 are unique hosts found during the discovery stage or added automatically while creating a configuration. Assets are uniquely defined based on their IP or hostname. |
| Target | Asset | Targets in Outpost24 are the assets (as in Outpost24 assets) that can be managed in the system, usually a web site, web application, server, or network device that you would like to scan for security vulnerabilities. In ServiceNow it is called Asset not to be confused with Outpost24 assets. |
| Finding | Incident | Findings are the potential risks and recommended reconfiguration suggestions found during automatic and manual assessments of the target asset. Outpost24 findings are called Incident in ServiceNow. Every ServiceNow Incident is connected to a ServiceNow Problem. |
| Solution and Solution Product | Problem | The ServiceNow Problem is a combination of solution and solution product in Outpost24. This is not per target. |
Set Up ServiceNow
Prerequisites
Note
The ServiceNow account used for the integration needs to have Can create and Allow access to this table via web services for Incident and Problem tables selected in order for it to succeed.
OAuth
The ServiceNow service requires an external OAuth Setup to be configured.
To configure OAuth Setup:
- Log in to ServiceNow using your credentials.
- Go to System OAuth > Application Registry in the ServiceNow service.
- Click New.
- On the interceptor page, click Create an OAuth API endpoint for external clients.
- Fill in the fields.
- Click Submit.
When completed, fill in the Client ID and Client secret (if used) in the Integrations window.
- Go to Main Menu > Settings > Integrations.
- Select the ServiceNow tab.
Follow the below procedure to enable ServiceNow:
Option Description Enabled Click on this field to enable ServiceNow. URI Provide the URI of ServiceNow server (only https protocol is supported). URI is the hostname Username Provide the username to authenticate against ServiceNow server. Username/Password is the credentials for the user in the ServiceNow tool. Password Provide the password to authenticate against ServiceNow server. Client ID (If used) Provide your client ID which is generated using OAuth module. Client Secret (If used) Provide your client password. Add finding solution as problem Click on this field to view the finding solutions under Problems in ServiceNow. Certificate Upload the SSL certificate of your ServiceNow instance. The certificate is the SSL (HTTP/HTTPS) certificate which can be access from the browser. Certificate uploaded Displays Yes if a certificate has been uploaded and No if there is no certificate available. App integration enabled (If used) Click on this field to enable ServiceNow app integration. App granted IP range(s) (If used) Add an IP range to restrict the access. Save Click on this button to save your current settings.
Creating Tickets in ServiceNow
ServiceNow tickets can be created via events or Assign Task in Reporting Tools. When a ticket is created we will add the combination target+script id as an Incident. This means that a finding for us is an Incident in ServiceNow , but the combination means that there will not be duplicates on ports etc. Every incident is connected to a Problem. The problem is a combination of solution and solution product in Outpost24 terms and not per target.
The result of tickets means that ServiceNow will have a Problem (what needs to be solved) of, for example Update Windows and Incidents (what has triggered the Problem) of target. Information about the target can be found in the Incident. If the target had a saved sysid (SN connection) the corresponding asset (what a target is called in SN) will be linked as the configuration item.
After enabling ServiceNow, use any of the following ways to create a ticket in OUTSCAN/HIAB.
Method 1
- Go to Main Menu > Netsec > Reporting Tools > Findings.
- Right click on any finding, select Assign task.
- Select ServiceNow in the ticket system drop-down menu.
- Click Save to create a ticket.
Method 2:
- Go to PCI scanning > Reports.
- Right click on a finding, select Assign task.
- Select ServiceNow in the ticket system drop-down menu.
- Click Save to create a ticket.
Method 3:
- Go to Event Notifications.
- Click +New.
Select ServiceNow in the Action drop-down menu.
Note
This action is only available for Information, Low-Risk, Medium-Risk, and High-Risk findings.
- Click Save to create tickets whenever a report is created with findings of the type of the event.
API Calls
Outpost24 use REST API with credentials, which means that the user has to have access to System Web Services Application menu and the REST modules.
API calls are kept to a minimum, but in creating tickets it needs to be verified that the ticket does not previously exists and then create it, both for problems and incidents. This can create a high workload when creating many tickets.
It takes an average of 3 seconds per ticket and a big load can take hours to handle. Since this is done in a queue that activates every 10 minutes, it will take at least a couple of minutes before tickets start showing up, in bad cases up to an hour or so on OUTSCAN. This is due to other customers tickets will be in the same queue. It is therefor recommended to import targets all in one go which keeps calls to a minimum.
Importing Targets from ServiceNow CMDB
If ServiceNow integration is enabled there is an option to import new targets from the ServiceNow CMDB.
- Open the Main Menu > Netsec > Manage Targets.
- Click + New to open Add New Targets.
- Clicking on the Import From Service Now button displays the Import From Service Now form.
- Enter the name of table in ServiceNow you wish to import from. The table field is the only one that is required.
The Tag, Asset Tag, and Query fields can be used to filter out specific targets from ServiceNow. For example if you write "test" in the tag field it will only import targets from ServiceNow that have the tag "test". Leaving Tag, Asset Tag, and Query blank will result that you will get all the targets in the ServiceNow table you entered. - Click Import to receive the targets from ServiceNow. The targets will be displayed in the target list in Manage Targets.
Exporting Tickets to ServiceNow
When importing targets from ServiceNow the sysid, which is the id the target have in ServiceNow, is saved. Later when an Incident or Problem is created the target sysid is used to connect to the target id in the ServiceNow CMDB to update information.
Incident
In ServiceNow a finding is called an Incident, when a scan encounters a finding, it creates a ticket that ends up in Incident > Open.
| Option | Description |
|---|---|
| short_description | Asset Name or ip/hostname : scriptid |
| Configuration Item | Asset if it was an active SN imported asset |
| Impact + Urgency + Priority | Priority on finding |
| Comments | Finding information |
| Problem | Connected Solution |
| Correlation ID | ID in our database |
| Correlation Display | 'outpost24_integration', our mark |
Problem
Every Incident is connected to a Problem which is a combination of a solution and solution product within Outpost24. The result of tickets means that there will be a Problem (what needs to be solved) of for example Update Windows and Incidents (what has triggered to problem) of ex. 192.168.2.11:101010.
| Option | Description |
|---|---|
| short_description | Solution : Solution product |
| Priority | Priority on finding |
| Comments | Solution information |
| Correlation ID | ID in our database |
| Correlation Display | 'outpost24_integration', our mark |
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.