Set up IoT Security and XSOAR for ServiceNow Integration
Table of Contents
Expand all | Collapse all
-
- Integrate IoT Security with AIMS
- Set up AIMS for Integration
- Set up IoT Security and XSOAR for AIMS Integration
- Send Work Orders to AIMS
- Integrate IoT Security with Microsoft SCCM
- Set up Microsoft SCCM for Integration
- Set up IoT Security and XSOAR for SCCM Integration
- Integrate IoT Security with Nuvolo
- Set up Nuvolo for Integration
- Set up IoT Security and XSOAR for Nuvolo Integration
- Send Security Alerts to Nuvolo
- Send Vulnerabilities to Nuvolo
- Integrate IoT Security with ServiceNow
- Set up ServiceNow for Integration
- Set up IoT Security and XSOAR for ServiceNow Integration
- Send Security Alerts to ServiceNow
- Send Vulnerabilities to ServiceNow
-
- Integrate IoT Security with Cortex XDR
- Set up Cortex XDR for Integration
- Set up IoT Security and XSOAR for XDR Integration
- Integrate IoT Security with CrowdStrike
- Set up CrowdStrike for Integration
- Set up IoT Security and XSOAR for CrowdStrike Integration
- Integrate IoT Security with Tanium
- Set up Tanium for Integration
- Set up IoT Security and XSOAR for Tanium Integration
-
- Integrate IoT Security with Aruba Central
- Set up Aruba Central for Integration
- Set up IoT Security and XSOAR for Aruba Central Integration
- Integrate IoT Security with Cisco DNA Center
- Set up Cisco DNA Center to Connect with XSOAR Engines
- Set up IoT Security and XSOAR for DNA Center Integration
- Integrate IoT Security with Cisco Meraki Cloud
- Set up Cisco Meraki Cloud for Integration
- Set up IoT Security and XSOAR for Cisco Meraki Cloud
- Integrate IoT Security with Cisco Prime
- Set up Cisco Prime to Accept Connections from IoT Security
- Set up IoT Security and XSOAR for Cisco Prime Integration
- Integrate IoT Security with Network Switches for SNMP Discovery
- Set up IoT Security and Cortex XSOAR for SNMP Discovery
- Integrate IoT Security with Switches for Network Discovery
- Set up IoT Security and Cortex XSOAR for Network Discovery
-
- Integrate IoT Security with Aruba WLAN Controllers
- Set up Aruba WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Aruba WLAN Controllers
- Integrate IoT Security with Cisco WLAN Controllers
- Set up Cisco WLAN Controllers for Integration
- Set up IoT Security and XSOAR for Cisco WLAN Controllers
-
- Integrate IoT Security with Aruba ClearPass
- Set up Aruba ClearPass for Integration
- Set up IoT Security and XSOAR for ClearPass Integration
- Put a Device in Quarantine Using Aruba ClearPass
- Release a Device from Quarantine Using Aruba ClearPass
- Integrate IoT Security with Cisco ISE
- Set up Cisco ISE to Identify IoT Devices
- Set up Cisco ISE to Identify and Quarantine IoT Devices
- Configure ISE Servers as an HA Pair
- Set up IoT Security and XSOAR for Cisco ISE Integration
- Put a Device in Quarantine Using Cisco ISE
- Release a Device from Quarantine Using Cisco ISE
- Apply Access Control Lists through Cisco ISE
- Integrate IoT Security with Cisco ISE pxGrid
- Set up Integration with Cisco ISE pxGrid
- Put a Device in Quarantine Using Cisco ISE pxGrid
- Release a Device from Quarantine Using Cisco ISE pxGrid
- Integrate IoT Security with Forescout
- Set up Forescout for Integration
- Set up IoT Security and XSOAR for Forescout Integration
- Put a Device in Quarantine Using Forescout
- Release a Device from Quarantine Using Forescout
-
- Integrate IoT Security with Qualys
- Set up QualysGuard Express for Integration
- Set up IoT Security and XSOAR for Qualys Integration
- Perform a Vulnerability Scan Using Qualys
- Get Vulnerability Scan Reports from Qualys
- Integrate IoT Security with Rapid7
- Set up Rapid7 InsightVM for Integration
- Set up IoT Security and XSOAR for Rapid7 Integration
- Perform a Vulnerability Scan Using Rapid7
- Get Vulnerability Scan Reports from Rapid7
- Integrate IoT Security with Tenable
- Set up Tenable for Integration
- Set up IoT Security and XSOAR for Tenable Integration
- Perform a Vulnerability Scan Using Tenable
- Get Vulnerability Scan Reports from Tenable
Set up IoT Security and XSOAR for ServiceNow Integration
IoT Security
and XSOAR for ServiceNow IntegrationSet up
IoT Security
and Cortex XSOAR
to integrate with
ServiceNow.To set up
IoT Security
to integrate with ServiceNow,
you need the URL of your ServiceNow instance and the username and
password of a ServiceNow user account that allows XSOAR to add device
attributes, security alerts, and device vulnerabilities to the device
and incident tables you created in ServiceNow.- Log in to theIoT Securityportal and then access ServiceNow settings inCortex XSOAR.
- Log in toIoT Securityand then clickIntegrations.
- IoT SecurityusesCortex XSOARto integrate with ServiceNow, and the settings you must configure to integrate with it are in the XSOAR interface. To access these settings, clickLaunch.Cortex XSOARTheCortex XSOARinterface opens in a new browser window.
- ClickSettingsin the left navigation menu, search forservicenowto locate it among other instances.
- Configure the ServiceNow integration instance.
- Click the integration instance settings icon ( ) for PANW IoT 3rd Party ServiceNow Integration Instance to open the settings panel.
- Enter the following and leave the other settings at their default values:Name: Use the default name for the integration instance (PANW IoT 3rd Party ServiceNow Integration instance) or, if you use the mapping method based on ServiceNow classes, you can use the default name or enter a new one.When the ServiceNow Category Mapping Method isUse ServiceNow IoT Device Table, XSOAR jobs for ServiceNow use playbooks that refer to the default integration instance name specifically, so it cannot be changed. When the mapping method isUse ServiceNow Classes, you can use the default name or a new name, but then you must enter it in the Integration Instance Name field in the jobs thatCortex XSOARwill run using this instance.ServiceNow URL: Enter the URL of your ServiceNow account, including.https://Username/Client ID: Enter the name of the user account you previously configured in ServiceNow.Password: Enter the password associated with the user account.Use OAuth Login: Select if you want XSOAR to use OAuth to log in and refer to the help in the right column on the page. Clear for XSOAR to use basic authentication with a username and password. Leave the other settings at their default values.ServiceNow Category Mapping Method: Choose the method you want to use to map devices and device attributes from IoT Security to ServiceNow.Use ServiceNow Classes(default method) mapsIoT Securitydevice types, categories, and profiles to ServiceNow classes.Use ServiceNow IoT Device Tablemaps the labels for various device attributes inIoT Securityto their counterparts in a custom table in ServiceNow.
- When finished, clickTest.If the test is successful, a Success message appears. If not, check that the settings were entered correctly and then test the configuration again.
- After the test succeeds, clickSave & exitto save your changes and close the settings panel.
- To integrate with other ServiceNow accounts, repeat the previous steps to add more integration instances.You might need more ServiceNow integration instances if, for example, you have one ServiceNow account for your production network and another for staging and testing.WhenIoT Securityintegrates with ServiceNow and you use the predefined integration instance with its default name (PANW IoT 3rd Party ServiceNow Integration Instance), you don’t have to configure any jobs. The predefined jobs—PANW IoT ServiceNow Integration and PANW IoT Bulk Export to ServiceNow—reference the default name of the predefined integration instance and simply work when you enable or run them.If you create additional integration instances and jobs, you must make sure that each job references a specific instance; otherwise, if a job doesn’t specifically reference the name of an integration instance, it will use the default instance.
- Edit ServiceNow jobs to add the integration instance name and, optionally, to change the poll interval for incremental updates.Cortex XSOARhas two predefined jobs that export device attributes, alerts, and vulnerabilities to ServiceNow:PANW IoT ServiceNow Integration– This sends incremental updates to ServiceNow every 15 minutes by default.PANW IoT Bulk Export To Servicenow– This sends all device records and security incidents (security alerts and vulnerabilities) to ServiceNow in one update.
- SelectJobs, search forservicenow, selectPANW IoT ServiceNow Integration, and then clickEdit.
- In Integration Instance Name, enter the name of the ServiceNow integration instance for which you want to run this job. To know if entering the integration instance name is required, consider these three situations:If you added a new Service integration instance, entering its name here is required.If you use the default ServiceNow integration instance with the default name and the mapping method is Use ServiceNow Classes, entering its name here is also required.If you use the default ServiceNow integration instance with the default name and the mapping method is Use ServiceNow IoT Device Table, then this field is optional.
- By default, the PANW IoT ServiceNow Integration job applies a 15-minute playbook poll interval. This interval is the period of time for whichCortex XSOARpollsIoT Securityfor new or modified device records and security incidents to include in its incremental updates. If you want to continue using the 15-minute poll interval, either leave the Playbook Poll Interval field empty or enter. (Although not stated, “minutes” is the unit of time that XSOAR uses.) To change the interval to something else, enter a different number.15
- When done,Update Job.
- Mapping method: Use ServiceNow ClassesEdit ServiceNow jobs to map additionalIoT Securitytypes, categories, and profiles to ServiceNow classes.If you want to send device records for anything other than OT devices, add their types, categories, or profiles to theCortex XSOARjobs.If you don’t wantIoT Securityto send ServiceNow device records for any other device type, category, or profile, skip this step.WhenIoT Securityintegrates with ServiceNow and you use the predefined integration instance with its default name (PANW IoT 3rd Party ServiceNow Integration Instance), you don’t have to modify the two predefined jobs. By default, they reference the default name of the predefined integration instance.
- SelectPANW IoT ServiceNow Integration, and then clickEdit.
- Scroll down to the Custom Fields section and find the PANW-ServiceNow-Category-Map table.
- Click+ Add rowand enter the name of a device type, category, or profile inIoT Securityand the class you want to map it to in ServiceNow Class.To find the exact text strings to enter in the IoT Security, refer to their use in theIoT Securityportal. In particular, the query tool at the top of the portal contains text strings for all the device types, categories, and profiles in your tenant.For a list of ServiceNow class table names, refer to the list in CMDB table descriptionsFor example, you can use this setting to map medical imaging devices in the DICOM-Imager, MRI Machine, and X-Ray Machine categories inIoT Securityto the cmdb_ci_imaging_hardware class in ServiceNow.
- Continue adding rows and entries in the two columns to map more IoT Security device categories to ServiceNow categories.
- When done,Update Job.
- Repeat these steps for the PANW IoT Bulk Expert to ServiceNow job.
- Mapping method: Use ServiceNow IoT Device TableIf you want to convert the device category names thatIoT Securitysends to ServiceNow to match those that ServiceNow uses, create category name mappings.In XSOAR, map the names forIoT Securitydevice categories to those in ServiceNow. You must define these mappings in the two jobs that XSOAR uses to send device attributes to ServiceNow.If you don’t wantIoT Securityto convert its device category names to those that ServiceNow uses, skip this step.
- SelectPANW IoT ServiceNow integration, and then clickEdit.
- Scroll down to the Custom Fields section and find the PANW-ServiceNow-Category-Map table.
- Click+ Add rowand enter a name in the PANW IoT Category column and its corresponding name in the ServiceNow Category column.
- Continue adding rows and entries in the two columns to map moreIoT Securitydevice categories to ServiceNow categories.
- When done, clickUpdate Job.
- Add the same entries to the PANW-ServiceNow-Category-Map table in the PANW IoT Bulk Export To Servicenow job.
- Mapping method: Use ServiceNow IoT Device TableIf you use an existing device cmdb table with a different table label or different column labels, set the corresponding table and column names inCortex XSOARjobs that send device records to ServiceNow.If you are using the default table and column labels in ServiceNow, skip this step.
- SelectJobs, search for, selectservicenowPANW IoT ServiceNow integration, and then clickEdit.
- Edit the default values to match those you used in the ServiceNow table to which XSOAR will send device records.
- When done,Update Job.
- SelectPANW IoT Bulk Export to ServiceNow, clickEdit, make the same changes there, and thenUpdate Job.
- If you created more integration instances for multiple ServiceNow accounts, add more jobs as necessary.Each ServiceNow integration instance requires its own jobs for incremental and bulk updates, each of which must reference the instance by name. In this case, make sure the Integration Instance Name field in the jobs has the name of the correct ServiceNow instance.Run the job for each integration instance you create. The first time you run a job that references an integration instance, it triggers XSOAR to report the instance toIoT Security, which then displays the integration instance on the Integrations page.
- To enable the ServiceNow integration instance, clickSettingsand then clickEnablenext to the instance name.
- Return to theIoT Securityportal and check the status of the ServiceNow integration.XSOAR automatically runs a preconfigured job for ServiceNow integration and reports the integration instance toIoT Security, which displays it on the Integrations page. The integration instance can be in one of the following four states as shown in the Status column on the Integrations page:
- Disabledmeans that either the integration was configured but intentionally disabled or it was never configured and a job that references it is enabled and running.
- Errormeans that the integration was configured and enabled but is not functioning properly, possibly due to a configuration error or network condition.
- Inactivemeans that the integration was configured and enabled but no job has run for at least the past 60 minutes.
- Activemeans that the integration was configured and enabled and is functioning properly.
When you see that the integration instance status has changed fromDisabledtoActive, its setup is complete.XSOAR begins an automated process that sends ServiceNow incrementally updated data fromIoT Securityabout changes to device attributes occurring within the last 15 minutes. - Export the IoT device inventory fromIoT Securityto ServiceNow.Although regular, automated incremental updates are now in progress, ServiceNow doesn’t yet have a complete device inventory fromIoT Security. This requires a bulk data export fromIoT Securityto ServiceNow that you initiate from the XSOAR interface. The process is somewhat time consuming; for example, exporting an inventory of 30,000–40,000 IoT devices can take up to 36 hours.To start the bulk export of the entire device inventory, clickLaunch Cortex Accessto return to the XSOAR interface. ClickJobs, selectPANW IoT Bulk Export to ServiceNow, and then clickRun now.During the bulk export and after the job completes, the automated incremental update will continue running every 15 minutes.