Integrate Prisma Cloud with ServiceNow

Learn how to integrate Prisma Cloud with ServiceNow to help you prioritize and respond to security incidents on ServiceNow.
Integrate Prisma Cloud with ServiceNow and automatically get notified of Prisma Cloud alerts through ServiceNow tickets, and prioritize incidents and vulnerabilities according to their potential impact on your business. This integration seamlessly fits into your organization’s existing workflows for incident management (itsm) and security operations management (security).
The Prisma Cloud integration with ServiceNow is verified with ServiceNow for London, Kingston, and Madrid (for incident management only) versions. If you are using a ServiceNow developer instance, make sure that it is not hibernated. 
Prisma Cloud connects to the Incident module (incident table) and Security Incident module (sn_si_incident table) in ServiceNow and generates alerts in the form of Incident and Security Incident tickets. The Security Incident Response plugin is optional and is required only if you want to generate Security Incident tickets. For creating Security Incident tickets, you must also have the Security Incident Response plugin installed on your ServiceNow instance.

Enable the Integration on ServiceNow

To connect Prisma Cloud and ServiceNow, you need to create local user account on ServiceNow, and create a custom role with read access to enable access to the data in tables.
  • Integrate the Incident Module
    1. Create a local user account on ServiceNow.
      To enable the integration, the administrative user must have the
      ITIL
      incident role (or associated permissions), and a
      Username
      , and
      password
      that is local on the instance itself. A local user account is a requirement because the ServiceNow web services cannot authenticate against an LDAP or SSO Identity provider, and it is unlike the authentication flow that ServiceNow supports for typical administrative users who access the service using a web browser. The
      ITIL
      role enables the user to perform standard actions for an ITIL helpdesk technician, such as open, update, close incidents, problems, changes and configuration management items. Refer to the ServiceNow documentation for more information.
      servicenow-dev-instance.png
    2. Create a custom role and enable read access to the tables in the plugin.
      Prisma Cloud needs access to the Plugins
      V_plugin
      , Dictionary
      sys_dictionary
      , and Choice Lists
      sys_choices
      tables to fetch data from the ServiceNow fields. This information is displayed in the ServiceNow notification templates that enable you to customize Prisma Cloud alerts in ServiceNow.
      1. Select
        User Administration
        Roles
        to create a new role to assign it to the local administrative user you created earlier.
      2. Pick a table, for example Plugins, and select the hamburger icon next to a table column header to
        Configure
        Table
        .
      3. Elevate the role to security_admin for modifying the access control list.
        servicenow-elevate-role.png
      4. Select
        Access Controls
        New
      5. Set
        Operation
        as
        Read
        and assign this permission to the role.
        servicenow-assign-role.png
      6. Enable permissions for the remaining tables, and assign them to the same role.
  • Integrate the Security Incident Module
    1. Create a local user account on Service Now to successfully integrate the Incident and Security Module with Prisma Cloud.
      The admin role must have permissions to create and edit incidents and security incidents in the
      sn_si_incident
      table. Based on your integration needs, enable the following roles:
      • ITIL
        incident role
      • sn_si.basic
        - This is security incident basic role that can read and edit security incidents.
      • sn_si.admin
        - This is security incident administrator role that has full control over all service management data, administrator territories and skills.
      • sn_si.manager
        - This is security incident manager role and can read and edit security incidents.
      Refer to the ServiceNow documentation for more information.
    2. Activate the
      Security Incident Response
      module to connect to the security incident module (sn_si_incident table) in ServiceNow.
      (
      Required to create Security Incident tickets instead of Incident tickets
      ) Select
      Security Incident Response
      from the system plugins and right click and select
      Activate
      . To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.
      servicenow-activate-security-incident-response.png

Enable the ServiceNow Integration on Prisma Cloud

Set up ServiceNow as an external integration on Prisma Cloud.
  1. Log in to Prisma Cloud and select
    Settings
    Integrations
    +Add New
    .
  2. Set the
    Integration Type
    as
    now
    .
  3. Enter a meaningful
    Integration Name
    and a
    Description
    .
  4. Enter your
    FQDN
    for accessing ServiceNow.
    Make sure to provide the FQDN for ServiceNow, and not the SSO redirect URL or a URL that enables you to bypass the SSO provider such as sidedoor or login.do for local authentication on ServiceNow. For example, enter
    yourservicenowinstance.com
    and not any of the following:
    https://www.yourservicenowinstance.com
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    yourservicenowinstance.com/
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    yourservicenowinstance.com/sidedoor.do
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    yourservicenowinstance.com/login.do
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  5. Enter the
    Username
    and
    Password
    for the ServiceNow administrative user account.
    The ServiceNow web services use the SOAP API that supports Basic Authentication, whereby the administrative credentials are checked against the instance itself and not against any LDAP or SSO Identity provider. Therefore, you must create a local administrative user account and enter the credentials for that local user account here instead of the SSO credentials of the administrator. This method is standard for SOAP APIs that pass a basic authentication header with the SOAP request.
  6. (Optional)
    Select
    Enable Security Incidents
    to create Security Incidents tickets in ServiceNow.
    To create Security Incident tickets in ServiceNow you must have installed the
    Security Incident Response
    plugin in ServiceNow.
  7. Click
    Next
    and then click
    Test
    .
    If you have omitted any of the permissions listed in Enable the Integration on ServiceNow, a HTTP 403 error displays.
    servicenow-integration-in-prisma-cloud.png
  8. Save
    to save the integration.

Set up Notification Templates

Notification templates allow you to customize Prisma Cloud alerts and create a custom workflow on your ServiceNow instance. When you create notification templates for
Incidents
, you can view alerts in the
incident
table and for
Security Incidents
you can view the corresponding alerts in
sn_si_incident
table.
  1. Log in to Prisma Cloud and select
    Alerts
    Notification Templates
    .
  2. Enter a
    Template Name
    and select your
    Integration
    .
  3. Choose the
    Incident Type
    as
    Security
    or
    Incident
    .
    To select create
    Security
    incidents, you should have selected
    Enable Security Incidents
    while creating this integration.
  4. Click
    Next
    and select the
    Configurable Fields
    to include in the alert.
    The fields that are defined as mandatory in ServiceNow are already selected and included in this template.
    servicenow-notification-template.png
  5. From
    Description
    , select and include the fields in Alert Payload that you want to see in your ServiceNow Alerts.
    You must include a value for each field you select to make sure that it is included in the alert notification. See Alert Payload for details on the context you can include in alerts.
    For Number, select AlertID only for ease of scanning and readability.
  6. Click
    Next
    to go to the review pane and review your selection.
  7. Save
    your changes.

View Alerts

Verify that the integration is working as expected. On the incidents view in ServiceNow, add the created timestamp in addition to the same columns you enabled in the Prisma Cloud notification template to easily correlate alerts across both admin consoles.
  1. Modify an existing Alert rule, or create a new Alert Rule to send Alert notifications to ServiceNow. See Send Prisma Cloud Alert Notifications to Third-Party Tools.
  2. Login to ServiceNow to view Prisma Cloud alerts.
    As and when the alert states are updated in Prisma Cloud, they are automatically updated in the corresponding ServiceNow tickets.
    1. To view incidents (incident table), select
      Incidents
      .
      In ServiceNow, all the Prisma Cloud Open alerts have the incident state as
      New
      and all the Resolved or Dismissed alerts have the incident state as
      Resolved
      .
      servicenow-alerts.png
    2. To view security incidents (sn_si_incident table), select
      Security Incidents
      .
      In ServiceNow, all the Prisma Cloud Open alerts have the state as
      Draft
      and all the Resolved or Dismissed alerts have the state as
      Review
      .
      servicenow-security-incidents-alerts.png

Related Documentation