Integrate Prisma Cloud with ServiceNow
Learn how to integrate Prisma Cloud with ServiceNow to help you prioritize and respond to security incidents on ServiceNow.
Integrate Prisma Cloud with ServiceNow and automatically get notified of Prisma Cloud alerts through ServiceNow tickets, and prioritize incidents and vulnerabilities according to their potential impact on your business. This integration seamlessly fits into your organization’s existing workflows for incident management (itsm) and security operations management (security).
The Prisma Cloud integration with ServiceNow is verified with ServiceNow for London, Kingston, and Madrid (for incident management only) versions. If you are using a ServiceNow developer instance, make sure that it is not hibernated.
Prisma Cloud connects to the Incident module (incident table) and Security Incident module (sn_si_incident table) in ServiceNow and generates alerts in the form of Incident and Security Incident tickets. The Security Incident Response plugin is optional and is required only if you want to generate Security Incident tickets. For creating Security Incident tickets, you must also have the Security Incident Response plugin installed on your ServiceNow instance.
Enable the Integration on ServiceNow
To connect Prisma Cloud and ServiceNow, you need to create local user account on ServiceNow, and create a custom role with read access to enable access to the data in tables.
- Integrate the Incident Module
- Create a local user account on ServiceNow.To enable the integration, the administrative user must have theITILincident role (or associated permissions), and aUsername, andpasswordthat is local on the instance itself. A local user account is a requirement because the ServiceNow web services cannot authenticate against an LDAP or SSO Identity provider, and it is unlike the authentication flow that ServiceNow supports for typical administrative users who access the service using a web browser. TheITILrole enables the user to perform standard actions for an ITIL helpdesk technician, such as open, update, close incidents, problems, changes and configuration management items. Refer to the ServiceNow documentation for more information.
- Create a custom role and enable read access to the tables in the plugin.Prisma Cloud needs access to the PluginsV_plugin, Dictionarysys_dictionary, and Choice Listssys_choicestables to fetch data from the ServiceNow fields. This information is displayed in the ServiceNow notification templates that enable you to customize Prisma Cloud alerts in ServiceNow.
- Selectto create a new role to assign it to the local administrative user you created earlier.User AdministrationRoles
- Pick a table, for example Plugins, and select the hamburger icon next to a table column header to.ConfigureTable
- Elevate the role to security_admin for modifying the access control list.
- SelectAccess ControlsNew
- SetOperationasReadand assign this permission to the role.
- Enable permissions for the remaining tables, and assign them to the same role.
- Integrate the Security Incident Module
- Create a local user account on Service Now to successfully integrate the Incident and Security Module with Prisma Cloud.The admin role must have permissions to create and edit incidents and security incidents in thesn_si_incidenttable. Based on your integration needs, enable the following roles:
- ITILincident role
- sn_si.basic- This is security incident basic role that can read and edit security incidents.
- sn_si.admin- This is security incident administrator role that has full control over all service management data, administrator territories and skills.
- sn_si.manager- This is security incident manager role and can read and edit security incidents.
- Activate theSecurity Incident Responsemodule to connect to the security incident module (sn_si_incident table) in ServiceNow.(Required to create Security Incident tickets instead of Incident tickets) SelectSecurity Incident Responsefrom the system plugins and right click and selectActivate. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.
Enable the ServiceNow Integration on Prisma Cloud
Set up ServiceNow as an external integration on Prisma Cloud.
- Log in to Prisma Cloud and select.SettingsIntegrations+Add New
- Set theIntegration Typeasnow.
- Enter a meaningfulIntegration Nameand aDescription.
- Enter yourFQDNfor accessing ServiceNow.Make sure to provide the FQDN for ServiceNow, and not the SSO redirect URL or a URL that enables you to bypass the SSO provider such as sidedoor or login.do for local authentication on ServiceNow. For example, enteryourservicenowinstance.comand not any of the following:https://www.yourservicenowinstance.comCode copied to clipboardUnable to copy due to lack of browser support.yourservicenowinstance.com/Code copied to clipboardUnable to copy due to lack of browser support.yourservicenowinstance.com/sidedoor.doCode copied to clipboardUnable to copy due to lack of browser support.yourservicenowinstance.com/login.doCode copied to clipboardUnable to copy due to lack of browser support.
- Enter theUsernameandPasswordfor the ServiceNow administrative user account.The ServiceNow web services use the SOAP API that supports Basic Authentication, whereby the administrative credentials are checked against the instance itself and not against any LDAP or SSO Identity provider. Therefore, you must create a local administrative user account and enter the credentials for that local user account here instead of the SSO credentials of the administrator. This method is standard for SOAP APIs that pass a basic authentication header with the SOAP request.
- (Optional)SelectEnable Security Incidentsto create Security Incidents tickets in ServiceNow.To create Security Incident tickets in ServiceNow you must have installed theSecurity Incident Responseplugin in ServiceNow.
- ClickNextand then clickTest.
- Saveto save the integration.
Set up Notification Templates
Notification templates allow you to customize Prisma Cloud alerts and create a custom workflow on your ServiceNow instance. When you create notification templates for
Incidents, you can view alerts in the
incidenttable and for
Security Incidentsyou can view the corresponding alerts in
- Log in to Prisma Cloud and select.AlertsNotification Templates
- Enter aTemplate Nameand select yourIntegration.
- Choose theIncident TypeasSecurityorIncident.To select createSecurityincidents, you should have selectedEnable Security Incidentswhile creating this integration.
- ClickNextand select theConfigurable Fieldsto include in the alert.The fields that are defined as mandatory in ServiceNow are already selected and included in this template.
- FromDescription, select and include the fields in Alert Payload that you want to see in your ServiceNow Alerts.You must include a value for each field you select to make sure that it is included in the alert notification. See Alert Payload for details on the context you can include in alerts.For Number, select AlertID only for ease of scanning and readability.
- ClickNextto go to the review pane and review your selection.
- Saveyour changes.
Verify that the integration is working as expected. On the incidents view in ServiceNow, add the created timestamp in addition to the same columns you enabled in the Prisma Cloud notification template to easily correlate alerts across both admin consoles.
- Modify an existing Alert rule, or create a new Alert Rule to send Alert notifications to ServiceNow. See Send Prisma Cloud Alert Notifications to Third-Party Tools.
- Login to ServiceNow to view Prisma Cloud alerts.As and when the alert states are updated in Prisma Cloud, they are automatically updated in the corresponding ServiceNow tickets.
- To view incidents (incident table), selectIncidents.In ServiceNow, all the Prisma Cloud Open alerts have the incident state asNewand all the Resolved or Dismissed alerts have the incident state asResolved.
- To view security incidents (sn_si_incident table), selectSecurity Incidents.In ServiceNow, all the Prisma Cloud Open alerts have the state asDraftand all the Resolved or Dismissed alerts have the state asReview.
Integrate RedLock with Servicenow
Learn how to integrate RedLock service with ServiceNow to help you prioritize and respond to security incidents on ServiceNow. ...
Configure External Integrations on Prisma Cloud
Learn how to integrate Prisma Cloud with third party services. ...
Send Prisma Cloud Alert Notifications to Third-Party Tools
Learn how to send Prisma Cloud alert notifications to your existing tools so that you can incorporate cloud security into your existing operational procedures. ...
Send RedLock Alert Notifications to Third-Party Tools
Learn how to send RedLock alert notifications to your existing tools so that you can incorporate cloud security into your existing operational procedures. ...
Integrate Prisma Cloud with PagerDuty
Learn how to integrate Prisma Cloud with PagerDuty to see alerts in your service or application. ...
Begin Scanning a ServiceNow App
Begin Scanning a ServiceNow App To begin scanning a ServiceNow app: Register Prisma SaaS in the ServiceNow management console. Log in to the ServiceNow management ...
Prisma Cloud Integrations
Learn about different types of integrations that Prisma Cloud supports with third-party systems. ...