Set up ServiceNow for Integration

Create a ServiceNow table for receiving device records from IoT Security.
If you are creating a new table, do step 1.1. If you are editing an existing table, go to step 1.2.
To create a table in ServiceNow for receiving device records from IoT Security, filter the navigation menu by entering

System Definition

in the Filter navigator field, click

Tables

New

, and then enter the following:

Label

:

Zingbox discovered devices

Name

: The name field autofills, automatically prepending

u_

, converting any uppercase characters to lowercase, and converting spaces and dashes to underscores to connect words. It automatically converts

Zingbox discovered devices

in the Label field to

u_zingbox_discovered_devices

in the Name field.

Zingbox discovered devices

is the default label and

u_zingbox_discovered_devices

is the default name to which Cortex XSOAR sends device records. If you use any another table with a different label, you must change the ServiceNow Discovered IoT Device Table Name in the two Cortex XSOAR jobs that send device records to this table: PANW IoT Bulk Export To Servicenow and PANW IoT ServiceNow Integration. For example, if you enter

IoT Security discovered devices

for the label in ServiceNow, which automatically generates

u_iot_security_discovered_devices

as the table name, then enter

u_iot_security_discovered_devices

in the two ServiceNow jobs in Cortex XSOAR

Extends table

: Your new table must extend the

cmdb_ci

configuration Item. Search for

cmdb_ci

and choose it from the list.

Add the following custom column labels to the table so that ServiceNow can receive inventory updates from IoT Security and populate these table columns with data:

The following are default column labels. If you use another cmdb device table with different column labels, you must change the corresponding default values in the two Cortex XSOAR jobs that send data to this table. The column labels are case sensitive. For example,

category

is different from

Category

.

category

profile

iot_tag

iot_vendor

iot_model

iot_os

iot_ssid

iot_site

iot_vlan

iot_wired_wireless

os_support



When done, click

Submit

.

After adding the custom column labels, the table will consist of predefined and custom columns. To display a smaller set of relevant columns, click the

Zingbox discovered devices

label on the Tables page, scroll down past the table and click

Show List

in the Related Links section, and then click the

Personalize List

icon ( ). Use the left and right arrows to move column labels so that only the ones you want to see are in the Selected pane and then click

OK

.


Create a ServiceNow table for receiving security incidents from IoT Security.
From the ServiceNow Tables page, click
New
and enter the following:
Label
: Enter
Zingbox alerts vulnerability incident
.
Name
: The name field autofills, automatically prepending
u_
, converting any uppercase characters to lowercase, and converting spaces and dashes to underscores to connect words. It converts
Zingbox alerts vulnerability incident
in the Label field to
u_zingbox_alerts_vulnerability_incident
in the Name field.
Extends table
: Your new table must extend the
Task
configuration Item. Choose
Task
from the list.

When done, click
Submit
.
Add custom table columns to the table.
Return to the table configuration page to edit it.

The table consists of a set of predefined table columns. You will add two custom column labels to let ServiceNow receive comments from IoT Security about security incidents and provide links to the Security Alert Details and Vulnerability Details pages.

Click

New

at the top of the table on the Columns tab.



In the Dictionary Entry form that appears, enter the following and then click

Submit

:

Type

:

String

Column label

:

Comments

Column name

:

u_comments

(automatically fills based on the label)

Max length

:

4,000

(characters)

To add the next column label, click

New

again, enter the following, and click

Submit

:

Type

:

URL

Column label

:

Security incident

Column name

:

u_security_incident

(automatically fills)

Because ServiceNow displays a large set of columns, it’s useful to reduce the number to those of interest. To do this, click the

Zingbox alerts vulnerability incident

label on the Tables page, scroll down past the table and click

Show List

in the Related Links section, and then click the

Update Personalized List

icon ( ). Use the left and right arrows to move column labels so that only the following are in the Selected pane and then click

OK

.


Create a ServiceNow user account for XSOAR to use when connecting to ServiceNow and sending it device attributes, alerts, and vulnerabilities.
Navigate to
System Security
Users
, click
New
, enter a user ID and password, and make sure the
Password needs reset
check box is cleared. Leave the other fields empty and click
Submit
.

Remember the user ID and password because you will enter these later when configuring the ServiceNow instance in XSOAR.
On the Users page, click the user ID of the account you just created to return to the account settings.
To add roles to the user account, scroll down the page, click the
Roles
tab, and then click
Edit
. Search for the following four roles one by one and add them to the Roles List:
rest_api_explorer
(This is required so that Cortex XSOAR can connect to ServiceNow through its API.)
u_zingbox_alerts_vulnerability_incident_user
u_zingbox_discovered_devices_user
web_service_admin
If you use an existing device table whose label is not “Zingbox discovered devices”, the third role shown above will be a different name.

Click
Save
to add the roles to the user account.
On the user account settings page, click
Update
to save the updated settings.
This completes the ServiceNow setup.