Integrate Prisma Cloud with ServiceNow
Learn how to integrate Prisma™ Cloud with ServiceNow to help you prioritize and respond to Security incidents on ServiceNow.
Integrate Prisma™ Cloud with ServiceNow and get automatically notified about Prisma Cloud alerts through ServiceNow tickets to prioritize incidents and vulnerabilities that impact your business. Prisma Cloud integrates with the ITSM module (incident table), the Security Incident Response module (sn_si_incident table), and the Event Management modules (em_event table) on ServiceNow to generate alerts in the form of ITSM Incident, Security Incident, and Event tickets.After you enable the integration, when Prisma Cloud scans your cloud resources and detects a policy violation, it generates an alert and pushes it to ServiceNow as a ticket. When you dismiss an alert on Prisma Cloud, Prisma Cloud sends a state change notification to update the ticket status on ServiceNow. This integration seamlessly fits in to the existing workflows for incident management (ITSM),security operations management (Security Incident Response) or event management for your organization.
The Prisma Cloud integration with ServiceNow is qualified with ServiceNow for London, Madrid, and New York. With the December 19, 2019 release, you are prompted to select your ServiceNow release version when you enable the integration. If you have an existing integration with ServiceNow, the London release is selected by default and you can edit it to choose the release you are using.
If you are using a ServiceNow developer instance, make sure that it is not hibernating.
Set Up Permissions on ServiceNow
To integrate Prisma Cloud and ServiceNow, you must have the privileges on ServiceNow to configure users, roles, fields on ServiceNow, which then allow you to set up the data mapping for the Notification Templates on Prisma Cloud.
If you do not have the privileges required listed below, you must work with your ServiceNow administrator.
- Prerequisites for the Prisma Cloud and ServiceNow Integration
- You must have permissions to create a local user account on ServiceNow.Create aUsernameandpasswordthat are local on the instance itself. A local user account is a requirement because the ServiceNow web services cannot authenticate against an LDAP or SSO Identity provider and it is unlike the authentication flow that ServiceNow supports for typical administrative users who access the service using a web browser.Refer to the ServiceNow documentation for more information.
- Review the ServiceNow roles required.PrismaCloud has verified that the following roles provide the required permissions. If your implementation has different roles and RBAC mechanisms, work with your ServiceNow administrator.
- London—1.usage_adminfor checking the v_plugin table for whether Security Incident Response is enabled.2.personalizefor accessing sys_dictionary, sys_choice tables.3.itilfor all the operations related to incident table.4.sn_si.admin & sn_si.basicroles for all operations related to Security Incident Response5.evt_mgmt_integrationbasic role has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.
- Madrid and New York1.personalizefor accessing sys_dictionary and sys_choice tables.2.itilfor all the operations related to the sys_db_object and the incident table.3.sn_si.adminfor all the operations related to sn_si_incident table4.evt_mgmt_integrationbasic role has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.
- For the user you added earlier, create a custom role with the permissions listed above.These permissions are required to create tickets and access the data in the respective ITSM, Events, and Security Incident Response tables and fields on ServiceNow.Prisma Cloud needs access to the Plugins (V_plugin), Dictionary (sys_dictionary), and Choice Lists (sys_choices) tables to fetch data from the ServiceNow fields. You can view this information in the ServiceNow notification templates that enable you to customize Prisma Cloud alerts in ServiceNow.
- Selectto create a new role and assign it to the local administrative user you created earlier.User AdministrationRoles
- Pick a table, such as thePluginstable, and select the menu (“hamburger”) icon next to a table column header to.ConfigureTable
- Select.Access ControlsNew
- SetOperationtoReadand assign this permission to the role.
- Enable permissions for the remaining tables and assign them to the same role.Verify that all three tables—Plugins (V_plugin), Dictionary (sys_dictionary), and Choice Lists (sys_choices) have the role and the required permission especially if you have defined field-level ACL rules to restrict access to objects in your ServiceNow implementation.
- You must be familiar with the fields and field-types in your ServiceNow implementation to set up the Notification templates on Prisma Cloud. Because this knowledge is essential for setting up the mapping of the Prisma Cloud alert payload to the corresponding fields on ServiceNow, you must work with your ServiceNow administrator to successfully enable this integration.
- Prerequisites for the Security Incident ModuleThe Security Incident Response plugin is optional but is required if you want to generate Security Incident tickets. To create Security Incident tickets, you must also have the Security Incident Response plugin installed on your ServiceNow instance.Verify that the Security Incident Response plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.
- Prerequisites for the Event Management ModuleThe Event Management plugin is optional but is required if you want to generate Event tickets on ServiceNow. To create Event tickets, you must have the Event Management subscription and the plugin installed on your ServiceNow instance.Verify that the Event Management plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.
Enable the ServiceNow Integration on Prisma Cloud
Set up ServiceNow as an external integration on Prisma Cloud.
- Log in to Prisma Cloud and select.SettingsIntegrations+Add New
- Set theIntegration TypetoServiceNow.
- Enter a meaningfulIntegration Nameand aDescription.
- Enter yourFQDNfor accessing ServiceNow.Make sure to provide the FQDN for ServiceNow—not the SSO redirect URL or a URL that enables you to bypass the SSO provider (such as sidedoor or login.do) for local authentication on ServiceNow. For example, enter<yourservicenowinstance>.comand not any of the following:https://www.<yourservicenowinstance>.com<yourservicenowinstance>.com/<yourservicenowinstance>.com/sidedoor.do<yourservicenowinstance>.com/login.doIf you switch the FQDN from one ServiceNow instance to another, state change notifications for existing alerts will fail.
- Enter theUsernameandPasswordfor the ServiceNow administrative user account.The ServiceNow web services use the SOAP API that supports basic authentication, whereby the administrative credentials are checked against the instance itself and not against any LDAP or SSO Identity provider. Therefore, you must create a local administrative user account and enter the credentials for that local user account here instead of the SSO credentials of the administrator. This method is standard for SOAP APIs that pass a basic authentication header with the SOAP request.
- Select the Service Type for which you want to generate tickets—Security,Incidents, and/orEvent.You must have the plugin installed to createSecurityincident tickets orEventtickets; make sure to work with your ServiceNow administrator to install and configure the Security Incident Response module or Event Management module. If you selectSecurityonly, Prisma Cloud generates all tickets as Security Incident Response (SIR) on ServiceNow.
- ClickNextand thenTest.
- TestandSavethe integration.Continue with setting up the notification template, and then verify the status of the integration on.SettingsIntegrations
Set up Notification Templates
Notification templates allow you to map the Prisma Cloud alert payload to the incident fields (referred to as
ServiceNow fieldson the Prisma Cloud interface in the screenshot) on your ServiceNow instance. Because the incident, security, and event tables are independent on ServiceNow, to view alerts in the corresponding table, you must set up the notification template for each service type —
Security Incidentson Prisma Cloud.
- Log in to Prisma Cloud and select.AlertsNotification Templates
- Add Newnotification template, and choose the template for ServiceNow.
- Enter aTemplate Nameand select yourIntegration.Use descriptive names to easily identify the notification templates.
- Set theService TypetoSecurity,IncidentorEvent.The options in this drop-down match what you selected when you enabled the ServiceNow integration on Prisma Cloud.
- ClickNextand select the alert status for which you want to set up the ServiceNow fields.You can choose different fields for the Open, Dismissed, or Resolved states. The fields for the Snoozed state are the same as that for the Dismissed state.
- Select theServiceNow Fieldsthat you want to include in the alert.Prisma Cloud retrieves the list of fields from your ServiceNow instance dynamically, and it does not store any data. Depending on how your IT administrator has set up your ServiceNow instance, the configurable fields may support a drop-down list, long-text field, or type-ahead. For a type-ahead field, you must enter a minimum of three characters to view a list of available options. When selecting the configurable fields in the notification template, at a minimum, you must include the fields that are defined as mandatory in your ServiceNow implementation.In this example,Descriptionis a long-text field, hence you can select and include the Prisma Cloud Alert Payload fields that you want in your ServiceNow Alerts. You must include a value for each field you select to make sure that it is included in the alert notification. See Alert Payload for details on the context you can include in alerts.To generate a ServiceNow Event, Message Key and Severity are required. The Message key determines whether to create a new alert or update an existing one, and you can map the Message Key to Account Name or to Alert ID based on your preference for logging Prisma Cloud alerts as a single alert or multiple alerts on ServiceNow. Severity is required to ensure that the event is created on ServiceNow and can be processed without error; without severity, the event is in an Error state on ServiceNow.ForNumber, use AlertID from the Prisma Cloud alert payload for ease of scanning and readability of incidents on ServiceNow.
- ClickNextto go to the review pane and review your selection.
- TestandSaveyour changes.After you set up the integration and configure the notification template, Prisma Cloud uses this template to send alerts to your ServiceNow instance. When the communication is successful, the status of the integration is green on. If the ServiceNow instance URL is unreachable or if your credentials are invalid, the status turns red. When a failure occurs, Prisma Cloud performs periodic checks to verify the connection status.SettingsIntegrationsThe status, however, does not transition to red if:Prisma Cloud cannot resolve the alert or update an existing alert field for a deleted record or missing record on your ServiceNow instance.Prisma Cloud is unable to send a test message to ServiceNow because of an HTTP 404 error.
Verify that the integration is working as expected. On the incidents view in ServiceNow, add the Created timestamp in addition to the same columns you enabled in the Prisma Cloud notification template to easily correlate alerts across both administrative consoles.
- Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to ServiceNow. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)
- Login to ServiceNow to view Prisma Cloud alerts.When alert states are updated in Prisma Cloud, they are automatically updated in the corresponding ServiceNow tickets.
- To view incidents (incident table), selectIncidents.In ServiceNow, all the Open Prisma Cloud have an incident state ofNewand all the Resolved or Dismissed alerts have an incident state ofResolved.
- To view security incidents (sn_si_incident table), selectSecurity Incidents.In ServiceNow, all the Open Prisma Cloud alerts have a state ofDraftand all the Resolved or Dismissed alerts have a state ofReview.
- To view event incidents (events table), select.Event ManagementAll Events
Recommended For You
Recommended videos not found.