Set up ServiceNow for Integration
Set up ServiceNow for integration with IoT Security through Cortex XSOAR.
The following are prerequisites for setting up ServiceNow for integration with IoT Security:
- A configured ServiceNow instance with administrative access
- A ServiceNow user account that XSOAR will use to form a secure connection with the ServiceNow instance and send it device attributes, alerts, and vulnerabilities
- Your ServiceNow URL
When configuring the ServiceNow instance on XSOAR, you will be prompted to enter the username and password of the ServiceNow user account and the ServiceNow URL.
On your ServiceNow instance, you must set up two tables, one to receive device records and another to receive incidents from IoT Security. For ServiceNow to receive device records from XSOAR, you can either modify an existing table or create a new one. For it to receive security incidents, you must create a new table in ServiceNow.
ServiceNow configuration instructions are based on Newyork build, 11-04-2020_1502.
- Create a ServiceNow table for receiving device records from IoT Security.If you are creating a new table, do step 1.1. If you are editing an existing table, go to step 1.2.
- To create a table in ServiceNow for receiving device records from IoT Security, filter the navigation menu by enteringSystem Definitionin the Filter navigator field, click, and then enter the following:TablesNewLabel:Zingbox discovered devicesName: The name field autofills, automatically prependingu_, converting any uppercase characters to lowercase, and converting spaces and dashes to underscores to connect words. It automatically convertsZingbox discovered devicesin the Label field tou_zingbox_discovered_devicesin the Name field.Zingbox discovered devicesis the default label andu_zingbox_discovered_devicesis the default name to which Cortex XSOAR sends device records. If you use any another table with a different label, you must change the ServiceNow Discovered IoT Device Table Name in the two Cortex XSOAR jobs that send device records to this table: PANW IoT Bulk Export To Servicenow and PANW IoT ServiceNow Integration. For example, if you enterIoT Security discovered devicesfor the label in ServiceNow, which automatically generatesu_iot_security_discovered_devicesas the table name, then enteru_iot_security_discovered_devicesin the two ServiceNow jobs in Cortex XSOARExtends table: Your new table must extend thecmdb_ciconfiguration Item. Search forcmdb_ciand choose it from the list.
- Add the following custom column labels to the table so that ServiceNow can receive inventory updates from IoT Security and populate these table columns with data:The following are default column labels. If you use another cmdb device table with different column labels, you must change the corresponding default values in the two Cortex XSOAR jobs that send data to this table. The column labels are case sensitive. For example,categoryis different fromCategory.categoryprofileiot_tagiot_vendoriot_modeliot_osiot_ssidiot_siteiot_vlaniot_wired_wirelessos_support
- When done, clickSubmit.
- After adding the custom column labels, the table will consist of predefined and custom columns. To display a smaller set of relevant columns, click theZingbox discovered deviceslabel on the Tables page, scroll down past the table and clickShow Listin the Related Links section, and then click thePersonalize Listicon ( ). Use the left and right arrows to move column labels so that only the ones you want to see are in the Selected pane and then clickOK.
- Create a ServiceNow table for receiving security incidents from IoT Security.
- From the ServiceNow Tables page, clickNewand enter the following:Label: EnterZingbox alerts vulnerability incident.Name: The name field autofills, automatically prependingu_, converting any uppercase characters to lowercase, and converting spaces and dashes to underscores to connect words. It convertsZingbox alerts vulnerability incidentin the Label field tou_zingbox_alerts_vulnerability_incidentin the Name field.Extends table: Your new table must extend theTaskconfiguration Item. ChooseTaskfrom the list.
- When done, clickSubmit.
- Add custom table columns to the table.
- Return to the table configuration page to edit it.The table consists of a set of predefined table columns. You will add two custom column labels to let ServiceNow receive comments from IoT Security about security incidents and provide links to the Security Alert Details and Vulnerability Details pages.
- ClickNewat the top of the table on the Columns tab.In the Dictionary Entry form that appears, enter the following and then clickSubmit:Type:StringColumn label:CommentsColumn name:u_comments(automatically fills based on the label)Max length:4,000(characters)
- To add the next column label, clickNewagain, enter the following, and clickSubmit:Type:URLColumn label:Security incidentColumn name:u_security_incident(automatically fills)
- Because ServiceNow displays a large set of columns, it’s useful to reduce the number to those of interest. To do this, click theZingbox alerts vulnerability incidentlabel on the Tables page, scroll down past the table and clickShow Listin the Related Links section, and then click theUpdate Personalized Listicon ( ). Use the left and right arrows to move column labels so that only the following are in the Selected pane and then clickOK.
- Create a ServiceNow user account for XSOAR to use when connecting to ServiceNow and sending it device attributes, alerts, and vulnerabilities.
This completes the ServiceNow setup.
- Navigate to, clickSystem SecurityUsersNew, enter a user ID and password, and make sure thePassword needs resetcheck box is cleared. Leave the other fields empty and clickSubmit.Remember the user ID and password because you will enter these later when configuring the ServiceNow instance in XSOAR.
- On the Users page, click the user ID of the account you just created to return to the account settings.
- To add roles to the user account, scroll down the page, click theRolestab, and then clickEdit. Search for the following four roles one by one and add them to the Roles List:rest_api_explorer(This is required so that Cortex XSOAR can connect to ServiceNow through its API.)u_zingbox_alerts_vulnerability_incident_useru_zingbox_discovered_devices_userweb_service_adminIf you use an existing device table whose label is not “Zingbox discovered devices”, the third role shown above will be a different name.
- ClickSaveto add the roles to the user account.
- On the user account settings page, clickUpdateto save the updated settings.
Recommended For You
Recommended videos not found.