Integrate Prisma Cloud with ServiceNow
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Integrate Prisma Cloud with ServiceNow
Learn how to integrate Prisma™ Cloud with ServiceNow to help you prioritize and respond to Security incidents on ServiceNow.
Integrate Prisma™ Cloud with ServiceNow and get automatically notified about Prisma Cloud alerts through ServiceNow tickets to prioritize incidents and vulnerabilities that impact your business. Prisma Cloud integrates with the ITSM module (incident table), the Security Incident Response module (sn_si_incident table), and the Event Management modules (em_event table) on ServiceNow to generate alerts in the form of ITSM Incident, Security Incident, and Event tickets. After you enable the integration, when Prisma Cloud scans your cloud resources and detects a policy violation, it generates an alert and pushes it to ServiceNow as a ticket. When you dismiss an alert on Prisma Cloud, Prisma Cloud sends a state change notification to update the ticket status on ServiceNow. This integration seamlessly fits in to the existing workflows for incident management (ITSM), security operations management (Security Incident Response) or event management for your organization.
The Prisma Cloud integration with ServiceNow is qualified with the most recent cloud-based GA versions of ServiceNow; the on-premise versions are not supported.
If you are using a ServiceNow developer instance, make sure that it is not hibernating.
If you see errors, review how to Interpret Error Messages.
Set Up Permissions on ServiceNow
To integrate Prisma Cloud and ServiceNow, you must have the privileges on ServiceNow to configure users, roles, fields on ServiceNow, which then allow you to set up the data mapping for the Notification Templates on Prisma Cloud.
If you do not have the privileges required listed below, you must work with your ServiceNow administrator.
- Prerequisites for the Prisma Cloud and ServiceNow Integration
- You must have permissions to create a local user account on ServiceNow.Create aUsernameandpasswordthat are local on the instance itself. A local user account is a requirement because the ServiceNow web services cannot authenticate against an LDAP or SSO Identity provider and it is unlike the authentication flow that ServiceNow supports for typical administrative users who access the service using a web browser.Refer to the ServiceNow documentation for more information.
- Review the ServiceNow roles required.Prisma Cloud has verified that the following roles provide the required permissions. If your implementation has different roles and RBAC mechanisms, work with your ServiceNow administrator.New York, Orlando, and Paris
- (Optional)personalizefor accessing tables.Personalize role is recommended to support type-ahead fields in notification templates for ServiceNow on Prisma Cloud. With this permission, when you enter a minimum of three characters in a type-ahead field, this role enables you to view the list of available options. If you do not enable personalize permissions, you must give table specific read-access permissions for type-ahead inputs.
- evt_mgmt_integrationbasic role has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.
- itilrole is required for the incident table actions.
- sn_si.basicrole is required for the sn_si.incident security incident table actions.
- For the user you added earlier, create a custom role with the permissions listed above.These permissions are required to create tickets and access the data in the respective ITSM, Events, and Security Incident Response tables and fields on ServiceNow.Prisma Cloud needs access to the Plugins (V_plugin), Dictionary (sys_dictionary), and Choice Lists (sys_choices) tables to fetch data from the ServiceNow fields. You can view this information in the ServiceNow notification templates that enable you to customize Prisma Cloud alerts in ServiceNow.
- Selectto create a new role and assign it to the local administrative user you created earlier.User AdministrationRoles
- Pick a table, such as thePluginstable, and select the menu (“hamburger”) icon next to a table column header to.ConfigureTable
- Elevate the role to security_admin to enable modification of the access control list (ACL).
- Select.Access ControlsNew
- SetOperationtoReadand assign this permission to the role.
- Enable permissions for the remaining tables and assign them to the same role.Verify that all three tables—Plugins (V_plugin), Dictionary (sys_dictionary), and Choice Lists (sys_choices) have the role and the required permission especially if you have defined field-level ACL rules to restrict access to objects in your ServiceNow implementation.
- You must be familiar with the fields and field-types in your ServiceNow implementation to set up the Notification templates on Prisma Cloud. Because this knowledge is essential for setting up the mapping of the Prisma Cloud alert payload to the corresponding fields on ServiceNow, you must work with your ServiceNow administrator to successfully enable this integration.
- Prerequisites for the Security Incident ModuleThe Security Incident Response plugin is optional but is required if you want to generate Security Incident tickets. To create Security Incident tickets, you must also have the Security Incident Response plugin installed on your ServiceNow instance.Verify that the Security Incident Response plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.
- Prerequisites for the Event Management ModuleThe Event Management plugin is optional but is required if you want to generate Event tickets on ServiceNow. To create Event tickets, you must have the Event Management subscription and the plugin installed on your ServiceNow instance.Verify that the Event Management plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.
Enable the ServiceNow Integration on Prisma Cloud
Set up ServiceNow as an external integration on Prisma Cloud.
- Log in to Prisma Cloud and select.SettingsIntegrations+Add New
- Set theIntegration TypetoServiceNow.
- Enter a meaningfulIntegration Nameand aDescription.
- Enter yourFQDNfor accessing ServiceNow.Make sure to provide the FQDN for ServiceNow—not the SSO redirect URL or a URL that enables you to bypass the SSO provider (such as sidedoor or login.do) for local authentication on ServiceNow. For example, enter<yourservicenowinstance>.comand not any of the following:https://www.<yourservicenowinstance>.com<yourservicenowinstance>.com/<yourservicenowinstance>.com/sidedoor.do<yourservicenowinstance>.com/login.doYou cannot modify the FQDN after you save the integration. If you want to change the FQDN for your ServiceNow instance, add a new integration.Enter theUsernameandPasswordfor the ServiceNow administrative user account.The ServiceNow web services use the SOAP API that supports basic authentication, whereby the administrative credentials are checked against the instance itself and not against any LDAP or SSO Identity provider. Therefore, you must create a local administrative user account and enter the credentials for that local user account here instead of the SSO credentials of the administrator. This method is standard for SOAP APIs that pass a basic authentication header with the SOAP request.Select the Service Type for which you want to generate tickets—Incident,Security, and/orEvent.You must have the plugin installed to createSecurityincident tickets orEventtickets; make sure to work with your ServiceNow administrator to install and configure the Security Incident Response module or Event Management module. If you selectSecurityonly, Prisma Cloud generates all tickets as Security Incident Response (SIR) on ServiceNow.ClickNextand thenTest.If you have omitted any of the permissions listed in Set Up Permissions on ServiceNow, an HTTP 403 error displays.TestandSavethe integration.Continue with setting up the notification template, and then verify the status of the integration on.SettingsIntegrationsSet up Notification TemplatesNotification templates allow you to map the Prisma Cloud alert payload to the incident fields (referred to as ServiceNow fields on the Prisma Cloud interface in the screenshot) on your ServiceNow instance. Because the incident, security, and event tables are independent on ServiceNow, to view alerts in the corresponding table, you must set up the notification template for each service type —Incidents,EventsorSecurity Incidentson Prisma Cloud.
- Log in to Prisma Cloud
- SelectandAlertsNotification TemplatesAdd Notification Template.
- Select the ServiceNow Notification template from the list.
- Enter aTemplate Nameand select yourIntegration.Use descriptive names to easily identify the notification templates.The total length of the template name can be up to 99 characters and should not include special ASCII characters: (‘<’, ‘>’, ‘!’, ‘=’, ‘\n’, ‘\r’).
- Set theService TypetoIncident,Security, orEvent.The options in this drop-down match what you selected when you enabled the ServiceNow integration on Prisma Cloud.
- Select the alert status for which you want to set up the ServiceNow fields.You can choose different fields for the Open, Dismissed, or Resolved states. The fields for the Snoozed state are the same as that for the Dismissed state.
- Enable the checkbox if you want to create a new ServiceNow incident when the alert state changes from(re-open) states.ResolvedOpen
- ClickNext.
- Select theServiceNow Fieldsthat you want to include in the alert.Prisma Cloud retrieves the list of fields from your ServiceNow instance dynamically, and it does not store any data. Depending on how your IT administrator has set up your ServiceNow instance, the configurable fields may support a drop-down list, long-text field, or type-ahead. For a type-ahead field, you must enter a minimum of three characters to view a list of available options. When selecting the configurable fields in the notification template, at a minimum, you must include the fields that are defined as mandatory in your ServiceNow implementation.In this example,Descriptionis a long-text field, hence you can select and include the Prisma Cloud Alert Payload fields that you want in your ServiceNow Alerts. You must include a value for each field you select to make sure that it is included in the alert notification. See Alert Payload for details on the context you can include in alerts.If the text in this field exceeds a certain number of characters (limit may differ based on ServiceNow default field size), you must adjust the maximum length for the fields on your ServiceNow implementation to ensure that the details are not truncated when it’s sent from Prisma Cloud.To generate a ServiceNow Event, Message Key and Severity are required. The Message key determines whether to create a new alert or update an existing one, and you can map the Message Key to Account Name or to Alert ID based on your preference for logging Prisma Cloud alerts as a single alert or multiple alerts on ServiceNow. Severity is required to ensure that the event is created on ServiceNow and can be processed without error; without severity, the event is in an Error state on ServiceNow.ForNumber, use AlertID from the Prisma Cloud alert payload for ease of scanning and readability of incidents on ServiceNow.
- Review theSummarystatus,Test Template, andSave Template.After you set up the integration and configure the notification template, Prisma Cloud uses this template to send a test alert to your ServiceNow instance. The test workflow creates a ticket that transitions through the different alert states that you have configured in the template. When the communication is successful, a success message displays.For an on-demand status check, use theGet Statusicon on. These checks help you validate that the ServiceNow instance URL is reachable and that your credentials are valid.SettingsIntegrations
Interpret Error MessagesThe following table displays the most common errors when you enable the ServiceNow integration on Prisma Cloud.What is Wrong?Error Message that DisplaysThe ServiceNow URL you entered is incorrect.You must provide an IP address or an FQDN without the protocol http or httpsinvalid_snow_base_urlThe ServiceNow URL you entered is invalid.The FQDN is invalid it should be a valid host name or IP address.invalid_snow_fqdnThe ServiceNow URL you entered is not reachable.The FQDN provided is either not reachable or is an invalid ServiceNow instance.snow_network_errorA required field is missing in the ServiceNow configuration.Missing Required Field - {{param}}missing_required_param, subject - {{param}}Your ServiceNow username or password is not valid or is inaccurate.Invalid Credentialsinvalid_credentialsThe ServiceNow permissions you have enabled are not adequate.Required roles or Plugins is/are missing for {{table}}missing_role_or_plugin, subject - {{table}}The Notification template for this integration does not have adequate permissions.Insufficient permission to read the field from {{table}} tableinsufficient_permission_to_read, subject - {{table}}Error Fetching Suggestions For {{table}}error_fetching_fields_for, subject - {{table}}The ServiceNow integration is not successfully configured.Failed Service Now Test - {{reason}}failed_service_now_test, subject - {{reason}}View AlertsVerify that the integration is working as expected. On the incidents view in ServiceNow, add the Created timestamp in addition to the same columns you enabled in the Prisma Cloud notification template to easily correlate alerts across both administrative consoles.- Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to ServiceNow. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)
- Login to ServiceNow to view Prisma Cloud alerts.When alert states are updated in Prisma Cloud, they are automatically updated in the corresponding ServiceNow tickets.
- To view incidents (incident table), selectIncidents.In ServiceNow, all the Open Prisma Cloud have an incident state ofNewand all the Resolved or Dismissed alerts have an incident state ofResolved.
- To view security incidents (sn_si_incident table), selectSecurity Incidents.In ServiceNow, all the Open Prisma Cloud alerts have a state ofDraftand all the Resolved or Dismissed alerts have a state ofReview.
- To view event incidents (events table), select.Event ManagementAll Events