Purpose

The purpose of this document is to provide set up information on the ServiceNow integration.

Introduction

ServiceNow is a cloud service that can handle many different needs within a company. Some of its features are:

  • Ticket system
  • CMDB
  • Discovery server
  • Security management

When ServiceNow is enabled, it will be visible as a ticket system in Assign Task, and Event Notifications. It also adds an option of importing targets from ServiceNow and activating events and tools for adding tickets. If you disable ServiceNow, the targets will no longer update or scan via ServiceNow until you enable it again.

Ticket system

A ServiceNow ticket created for a finding will be added as an Incident with target and script information and solution to the finding will be added as Problem. Synchronization between ServiceNow and OUTSCAN/HIAB is periodic. This may cause some delay in the update. With the ticket system, we recommend using old scans to add tickets that you want to get started, and then add the events you want for future scans.

Terminology

Outpost24 and ServiceNow describe events differently.

Outpost24 TermServiceNow TermDescription
Asset-

Assets in Outpost24 are unique hosts found during the discovery stage or added automatically while creating a configuration. Assets are uniquely defined based on their IP or hostname.

TargetAssetTargets in Outpost24 are the assets (as in Outpost24 assets) that can be managed in the system, usually a web site, web application, server, or network device that you would like to scan for security vulnerabilities. In ServiceNow it is called Asset not to be confused with Outpost24 assets.
FindingIncident

Findings are the potential risks and recommended reconfiguration suggestions found during automatic and manual assessments of the target asset. Outpost24 findings are called Incident in ServiceNow.

Every ServiceNow Incident is connected to a ServiceNow Problem.

Solution and Solution ProductProblemThe ServiceNow Problem is a combination of solution and solution product in Outpost24. This is not per target.


Set Up ServiceNow

Prerequisites

Note

The ServiceNow account used for the integration needs to have Can create and Allow access to this table via web services for Incident and Problem tables selected in order for it to succeed.

OAuth

The ServiceNow service requires an external OAuth Setup to be configured.

To configure OAuth Setup:

  1. Log in to ServiceNow using your credentials.
  2. Go to System OAuth > Application Registry in the ServiceNow service.
  3. Click New.
  4. On the interceptor page, click Create an OAuth API endpoint for external clients.
  5. Fill in the fields.
  6. Click Submit.


When completed, fill in the Client ID and Client secret (if used) in the Integrations window.

  1. Go to Main Menu > Settings > Integrations.
  2. Select the ServiceNow tab.

    Integrations Settings - ServiceNow

  3. Follow the below procedure to enable ServiceNow:

    OptionDescription
    EnabledClick on this field to enable ServiceNow.
    URIProvide the URI of ServiceNow server (only https protocol is supported). URI is the hostname
    UsernameProvide the username to authenticate against ServiceNow server. Username/Password is the credentials for the user in the ServiceNow tool.
    PasswordProvide the password to authenticate against ServiceNow server.
    Client ID(If used) Provide your client ID which is generated using OAuth module.
    Client Secret(If used) Provide your client password.
    Add finding solution as problemClick on this field to view the finding solutions under Problems in ServiceNow. 
    CertificateUpload the SSL certificate of your ServiceNow instance. The certificate is the SSL (HTTP/HTTPS) certificate which can be access from the browser.
    Certificate uploadedDisplays Yes if a certificate has been uploaded and No if there is no certificate available.
    App integration enabled(If used) Click on this field to enable ServiceNow app integration.
    App granted IP range(s)(If used) Add an IP range to restrict the access.
    SaveClick on this button to save your current settings.

Creating Tickets in ServiceNow

ServiceNow tickets can be created via events or Assign Task in Reporting Tools. When a ticket is created we will add the combination target+script id as an Incident. This means that a finding for us is an Incident in ServiceNow , but the combination means that there will not be duplicates on ports etc. Every incident is connected to a Problem. The problem is a combination of solution and solution product in Outpost24 terms and not per target.

The result of tickets means that ServiceNow will have a Problem (what needs to be solved) of, for example Update Windows and Incidents (what has triggered the Problem) of target. Information about the target can be found in the Incident. If the target had a saved sysid (SN connection) the corresponding asset (what a target is called in SN) will be linked as the configuration item.

After enabling ServiceNow, use any of the following ways to create a ticket in OUTSCAN/HIAB.

Method 1

  1. Go to Main Menu > Netsec > Reporting Tools > Findings.
  2. Right click on any finding, select Assign task.

    Assign Ticket

  3. Select ServiceNow in the ticket system drop-down menu.
  4. Click Save to create a ticket.

Method 2:

  1. Go to PCI scanning > Reports.
  2. Right click on a finding, select Assign task.
  3. Select ServiceNow in the ticket system drop-down menu.
  4. Click Save to create a ticket.

Method 3:

  1. Go to Event Notifications.
  2. Click +New.
  3. Select ServiceNow in the Action drop-down menu.

    Note

    This action is only available for Information, Low-Risk, Medium-Risk, and High-Risk findings.

  4. Click Save to create tickets whenever a report is created with findings of the type of the event.

API Calls

Outpost24 use REST API with credentials, which means that the user has to have access to System Web Services Application menu and the REST modules.

API calls are kept to a minimum, but in creating tickets it needs to be verified that the ticket does not previously exists and then create it, both for problems and incidents. This can create a high workload when creating many tickets.

It takes an average of 3 seconds per ticket and a big load can take hours to handle. Since this is done in a queue that activates every 10 minutes, it will take at least a couple of minutes before tickets start showing up, in bad cases up to an hour or so on OUTSCAN. This is due to other customers tickets will be in the same queue. It is therefor recommended to import targets all in one go which keeps calls to a minimum.

Importing Targets from ServiceNow CMDB

If ServiceNow integration is enabled there is an option to import new targets from the ServiceNow CMDB.

  1. Open the Main Menu > Netsec > Manage Targets.
  2. Click + New to open Add New Targets.


  3. Clicking on the Import From Service Now button displays the Import From Service Now form.


  4. Enter the name of table in ServiceNow you wish to import from. The table field is the only one that is required.
    The Tag, Asset Tag, and Query fields can be used to filter out specific targets from ServiceNow. For example if you write "test" in the tag field it will only import targets from ServiceNow that have the tag "test". Leaving Tag, Asset Tag, and Query blank will result that you will get all the targets in the ServiceNow table you entered.
  5. Click Import to receive the targets from ServiceNow. The targets will be displayed in the target list in Manage Targets.


Exporting Tickets to ServiceNow

When importing targets from ServiceNow the sysid, which is the id the target have in ServiceNow, is saved. Later when an Incident or Problem is created the target sysid is used to connect to the target id in the ServiceNow CMDB to update information.

Incident

In ServiceNow a finding is called an Incident, when a scan encounters a finding, it creates a ticket that ends up in Incident > Open.

OptionDescription
short_descriptionAsset Name or ip/hostname : scriptid
Configuration ItemAsset if it was an active SN imported asset
Impact + Urgency + PriorityPriority on finding
CommentsFinding information
ProblemConnected Solution
Correlation IDID in our database
Correlation Display'outpost24_integration', our mark

Problem

Every Incident is connected to a Problem which is a combination of a solution and solution product within Outpost24. The result of tickets means that there will be a Problem (what needs to be solved) of for example Update Windows and Incidents (what has triggered to problem) of ex. 192.168.2.11:101010.

OptionDescription
short_descriptionSolution : Solution product
PriorityPriority on finding
CommentsSolution information
Correlation IDID in our database
Correlation Display'outpost24_integration', our mark

Reference

Integrations




Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.