About
The ServiceNow connector is used to create incidents (both automatically and manually) and extract data from the Configuration Management Database (CMDB). This guide provides a comprehensive overview of setting up and utilizing the ServiceNow connector, detailing the prerequisites, authentication methods, optional features, and API usage.
Prerequisites
Before you start, regardless of the authentication method you decide to use, make sure to have the following prerequisites met:
ServiceNow Instance Name
Obtain the name of your hosted ServiceNow instance. For instance, if your URL is https://dev123456.service-now.com/, the instance name is dev123456.
User Credentials
Go to your ServiceNow instance and navigate through the menu: User Administration > Users. Open the user record you wish to modify.
Alternatively, create a new user with the roles/permissions below.
User Roles and Permisions
Scroll down to the Roles-related list and Click on Edit to modify roles.
Assign Roles:
In the Collection list, search and select the following roles for the user:
itil: Enables the user to manage, create, and edit tickets.personalize_dictionary: Allows reading from thesys_dictionarytable, which Vulcan uses to fetch labels for fields.personalize_responses: Grants the ability to customize predefined responses for suggestion fields, such as the Additional Comments field. This ensures Vulcan syncs the options for the fields displayed on the UI.personalize_choices: Enables customization of choice lists in the system.rest_service: Essential for API Table Fetching, allowing Vulcan to interact with ServiceNow's API efficiently.
Ensure Proper Group Assignment:
Confirm that the user is part of a group with the correct permissions. This group should have the authority to create, edit, and view incidents, problems, and problem tasks.
After assigning the roles and verifying group permissions, click Save to apply the changes.
Table Access: The connector retrieves data from several ServiceNow tables. Ensure the user has access to the following tables:
For Asset Retrieval:
Tables:
cmdb_ci_computer,cmdb_ci_vm_instance,cmdb_ci_business_app
For Incident Creation:
Table:
sys_user
Additional Data:
Business units from
cmn_departmenttable
Authentication Methods
When attempting to configure the ServiceNow connector, you have the option to select one of the two available types of Authentication methods.
Basic OAuth: ServiceNow Username and Password. Credentials are used for pulling assets.
OAuth 2.0: ServiceNow Username and password + Client ID and Client Secret ID. The keys are used to communicate with the ServiceNow API.
Basic OAuth
For the Basic OAth authentication method, you need:
OAuth 2.0
For the OAuth 2.0 authentication method, you need:
Obtaining API Keys for the OAth 2.0 authentication method
To create the API Client ID and Client Secret in ServiceNow:
Access your ServiceNow instance by entering the appropriate URL in your browser and logging in with your credentials.
After logging in, navigate to the 'System OAuth' area. This can typically be found in the main menu under the 'System Security' section.
In the 'System OAuth' section, locate and click 'Application Registry'. This is where all registered applications are listed.
In the 'Application Registry' section, click 'New' to start creating a new application.
After clicking 'New', you’ll be presented with a few options. Select the 'Create an OAuth API endpoint for external clients'. This option is specifically designed for creating credentials that external clients will use to interact with your ServiceNow instance via API.
Optional Toggles
Collect Users
Pulls user and group data from ServiceNow to populate fields when opening tickets through the Vulcan platform. This allows assigning a vulnerability to a ServiceNow user entity through Vulcan.
Example:
Users are pulled from the table sys_user.
Mark Issue as Done
Enable this toggle to allow the Vulcan Platform to transition ServiceNow-generated tickets from Open to Done.
Collect Assets
Enables the collection of computer assets from ServiceNow for validation against scanner data.
Click on "Choose CMDB_CI table values" to select the assets you want to track in Vulcan from the cmdb_ci_computer and cmdb_ci_vm_instance tables. You can adjust your choices anytime. If there are certain types of assets you prefer not to see, you have the option to hide them. Initially, Vulcan shows all assets, but you can filter this to display only those relevant to your ServiceNow account.
Click on "Choose attributes" to create custom tags in Vulcan based on details from ServiceNow to help you categorize and manage your assets more effectively. These tags are fully customizable, allowing you to organize your assets in a way that suits your needs. You can modify these settings at any point to keep up with your changing requirements.
Opening a ServiceNow Incident vs. Problem Ticket
The ServiceNow integration lets you take action on vulnerabilities and open remediation tickets in ServiceNow directly through the Vulcan Platform. You can open tickets manually or create automation (Playbooks).
You can either open an Incident or a Problem ticket directly through the Vulcan Platform.
About Problem Tickets
Through Vulcan, you can also create Problem and Problem Task entities. Each Problem encapsulates details about a vulnerability, akin to an incident. For every vulnerable asset, a corresponding Problem Task is generated, labeling the asset name as a "Configuration Item." In cases where a Configuration Item is not identifiable, the asset name is placed in the 'short description' attribute instead. These Problem Tasks are directly linked to their overarching Problem, ensuring a structured and traceable relationship. Delve into further details by exploring problem life cycle management
Creating a ServiceNow Playbook (Automation)
The automation Playbooks allow you to minimize response time and reduce mundane manual labor by automating remediation tasks and ticket opening based on business and security conditions by integrating the desired report/ticketing system in your organization.
First, make sure to learn how to create and manage automation. All automations are based on the same principles but with different settings and modifications, depending on the selected Remediation Action method. See Automation Playbooks.
Getting ServiceNow Data
This is an example of a vulnerability that has a ServiceNow incident attached to it. You can see it in the right pane under: ‘Open Tickets’.
The activity log for the vulnerability will show any changes in the ticket:
To locate assets coming from ServiceNow, you can filter ‘ServiceNow’ as a source in the appropriate filter:
Ticket lifecycle management
ServiceNow ticket states can be changed by Vulcan when vulnerabilities are fixed or no longer needed. See more on this in the ServiceNow ticket lifecycle.
API in Use
Read permission
<<SERVER_URL>>/api/now/table/sys_choice
<<SERVER_URL>>/api/now/table/sys_user
<<SERVER_URL>>/api/now/table/sys_user_group
<<SERVER_URL>>/api/now/table/cmn_department
<<SERVER_URL>>/api/now/table/sys_dictionary
<<SERVER_URL>>/api/now/table/incident
<<SERVER_URL>>/api/now/table/problem
<<SERVER_URL>>/api/now/table/problem_task
<<SERVER_URL>>/api/now/table/cmdb_ci_service
<<SERVER_URL>>/api/now/table/cmn_location
<<SERVER_URL>>/api/now/table/change_request
<<SERVER_URL>>/api/now/table/sys_user_grmember
<<SERVER_URL>>/api/now/table/cmdb_key_value
<<SERVER_URL>>/api/now/table/svc_ci_assoc
<<SERVER_URL>>/api/now/table/cmdb_rel_ci
<<SERVER_URL>>/api/now/table/cmdb_ci
<<SERVER_URL>>/api/now/table/sys_journal_field
<<SERVER_URL>>/api/now/attachment/file
Read and write permission
<<SERVER_URL>>/api/now/table/incident
<<SERVER_URL>>/api/now/table/problem
<<SERVER_URL>>/api/now/table/problem_task
<<SERVER_URL>>/api/now/table/sys_journal_field
*Note- any other custom fields or tables that are selected from the ServiceNow connector configuration in Vulcan will also need to be manually added as permission to the ServiceNow user.
FAQ