Integrate Prisma Cloud with ServiceNow

Learn how to integrate Prisma™ Cloud with ServiceNow to help you prioritize and respond to Security incidents on ServiceNow.
Integrate Prisma™ Cloud with ServiceNow and get automatically notified about Prisma Cloud alerts through ServiceNow tickets to prioritize incidents and vulnerabilities that impact your business. Prisma Cloud integrates with the ITSM module (incident table), the Security Incident Response module (sn_si_incident table), and the Event Management modules (em_event table) on ServiceNow to generate alerts in the form of ITSM Incident, Security Incident, and Event tickets.After you enable the integration, when Prisma Cloud scans your cloud resources and detects a policy violation, it generates an alert and pushes it to ServiceNow as a ticket. When you dismiss an alert on Prisma Cloud, Prisma Cloud sends a state change notification to update the ticket status on ServiceNow. This integration seamlessly fits in to the existing workflows for incident management (ITSM),security operations management (Security Incident Response) or event management for your organization.
The Prisma Cloud integration with ServiceNow is qualified with ServiceNow for London, Madrid, New York, and Orlando.
If you are using a ServiceNow developer instance, make sure that it is not hibernating.
If you see errors, review how to Interpret Error Messages.

Set Up Permissions on ServiceNow

To integrate Prisma Cloud and ServiceNow, you must have the privileges on ServiceNow to configure users, roles, fields on ServiceNow, which then allow you to set up the data mapping for the Notification Templates on Prisma Cloud.
If you do not have the privileges required listed below, you must work with your ServiceNow administrator.
  • Prerequisites for the Prisma Cloud and ServiceNow Integration
    1. You must have permissions to create a local user account on ServiceNow.
      Create a
      Username
      and
      password
      that are local on the instance itself. A local user account is a requirement because the ServiceNow web services cannot authenticate against an LDAP or SSO Identity provider and it is unlike the authentication flow that ServiceNow supports for typical administrative users who access the service using a web browser.Refer to the ServiceNow documentation for more information.
      servicenow-dev-instance.png
    2. Review the ServiceNow roles required.
      PrismaCloud has verified that the following roles provide the required permissions. If your implementation has different roles and RBAC mechanisms, work with your ServiceNow administrator.
      • London
        1.
        usage_admin
        for checking the v_plugin table for whether Security Incident Response is enabled.
        2.
        (Optional)
        personalize
        for accessing tables.
        Personalize role is recommended to support type-ahead fields in notification templates for ServiceNow on Prisma Cloud. With this permission, when you enter a minimum of three characters in a type-ahead field, this role enables you to view the list of available options. If you do not enable personalize permissions, you must give table specific read-access permissions for type-ahead inputs.
        3.
        sn_si.basic
        role for all operations related to Security Incident Response
        4.
        evt_mgmt_integration
        basic role has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.
      • Madrid, New York, and Orlando
        1.
        (Optional)
        personalize
        for accessing tables.
        Personalize role is recommended to support type-ahead fields in notification templates for ServiceNow on Prisma Cloud. With this permission, when you enter a minimum of three characters in a type-ahead field, this role enables you to view the list of available options. If you do not enable personalize permissions, you must give table specific read-access permissions for type-ahead inputs.
        2.
        evt_mgmt_integration
        basic role has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.
    3. For the user you added earlier, create a custom role with the permissions listed above.
      These permissions are required to create tickets and access the data in the respective ITSM, Events, and Security Incident Response tables and fields on ServiceNow.
      Prisma Cloud needs access to the Plugins (
      V_plugin
      ), Dictionary (
      sys_dictionary
      ), and Choice Lists (
      sys_choices
      ) tables to fetch data from the ServiceNow fields. You can view this information in the ServiceNow notification templates that enable you to customize Prisma Cloud alerts in ServiceNow.
      1. Select
        User Administration
        Roles
        to create a new role and assign it to the local administrative user you created earlier.
      2. Pick a table, such as the
        Plugins
        table, and select the menu (“hamburger”) icon next to a table column header to
        Configure
        Table
        .
      3. Elevate the role to security_admin to enable modification of the access control list (ACL).
        servicenow-elevate-role.png
      4. Select
        Access Controls
        New
        .
      5. Set
        Operation
        to
        Read
        and assign this permission to the role.
        servicenow-assign-role.png
      6. Enable permissions for the remaining tables and assign them to the same role.
        Verify that all three tables—Plugins (
        V_plugin
        ), Dictionary (
        sys_dictionary
        ), and Choice Lists (
        sys_choices
        ) have the role and the required permission especially if you have defined field-level ACL rules to restrict access to objects in your ServiceNow implementation.
    4. You must be familiar with the fields and field-types in your ServiceNow implementation to set up the Notification templates on Prisma Cloud. Because this knowledge is essential for setting up the mapping of the Prisma Cloud alert payload to the corresponding fields on ServiceNow, you must work with your ServiceNow administrator to successfully enable this integration.
  • Prerequisites for the Security Incident Module
    The Security Incident Response plugin is optional but is required if you want to generate Security Incident tickets. To create Security Incident tickets, you must also have the Security Incident Response plugin installed on your ServiceNow instance.
    Verify that the Security Incident Response plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.
  • Prerequisites for the Event Management Module
    The Event Management plugin is optional but is required if you want to generate Event tickets on ServiceNow. To create Event tickets, you must have the Event Management subscription and the plugin installed on your ServiceNow instance.
    Verify that the Event Management plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.

Enable the ServiceNow Integration on Prisma Cloud

Set up ServiceNow as an external integration on Prisma Cloud.
  1. Log in to Prisma Cloud and select
    Settings
    Integrations
    +Add New
    .
  2. Set the
    Integration Type
    to
    ServiceNow
    .
  3. Enter a meaningful
    Integration Name
    and a
    Description
    .
  4. Enter your
    FQDN
    for accessing ServiceNow.
    Make sure to provide the FQDN for ServiceNow—not the SSO redirect URL or a URL that enables you to bypass the SSO provider (such as sidedoor or login.do) for local authentication on ServiceNow. For example, enter
    <yourservicenowinstance>.com
    and not any of the following:
    https://www.<yourservicenowinstance>.com
    <yourservicenowinstance>.com/
    <yourservicenowinstance>.com/sidedoor.do
    <yourservicenowinstance>.com/login.do
    If you switch the FQDN from one ServiceNow instance to another, state change notifications for existing alerts will fail.
  5. Enter the
    Username
    and
    Password
    for the ServiceNow administrative user account.
    The ServiceNow web services use the SOAP API that supports basic authentication, whereby the administrative credentials are checked against the instance itself and not against any LDAP or SSO Identity provider. Therefore, you must create a local administrative user account and enter the credentials for that local user account here instead of the SSO credentials of the administrator. This method is standard for SOAP APIs that pass a basic authentication header with the SOAP request.
  6. Select the Service Type for which you want to generate tickets—
    Security
    ,
    Incidents
    , and/or
    Event
    .
    You must have the plugin installed to create
    Security
    incident tickets or
    Event
    tickets; make sure to work with your ServiceNow administrator to install and configure the Security Incident Response module or Event Management module. If you select
    Security
    only, Prisma Cloud generates all tickets as Security Incident Response (SIR) on ServiceNow.
  7. Click
    Next
    and then
    Test
    .
    If you have omitted any of the permissions listed in Set Up Permissions on ServiceNow, an HTTP 403 error displays.
    servicenow-integration-in-prisma-cloud.png
  8. Test
    and
    Save
    the integration.
    Continue with setting up the notification template, and then verify the status of the integration on
    Settings
    Integrations
    .

Set up Notification Templates

Notification templates allow you to map the Prisma Cloud alert payload to the incident fields (referred to as
ServiceNow fields
on the Prisma Cloud interface in the screenshot) on your ServiceNow instance. Because the incident, security, and event tables are independent on ServiceNow, to view alerts in the corresponding table, you must set up the notification template for each service type —
Incidents
,
Events
or
Security Incidents
on Prisma Cloud.
  1. Log in to Prisma Cloud and select
    Alerts
    Notification Templates
    .
  2. Add New
    notification template, and choose the template for ServiceNow.
    service-now-notification-template-hub.png
  3. Enter a
    Template Name
    and select your
    Integration
    .
    Use descriptive names to easily identify the notification templates.
  4. Set the
    Service Type
    to
    Security
    ,
    Incident
    or
    Event
    .
    The options in this drop-down match what you selected when you enabled the ServiceNow integration on Prisma Cloud.
    servicenow-notification-template.png
  5. Click
    Next
    and select the alert status for which you want to set up the ServiceNow fields.
    You can choose different fields for the Open, Dismissed, or Resolved states. The fields for the Snoozed state are the same as that for the Dismissed state.
  6. Select the
    ServiceNow Fields
    that you want to include in the alert.
    Prisma Cloud retrieves the list of fields from your ServiceNow instance dynamically, and it does not store any data. Depending on how your IT administrator has set up your ServiceNow instance, the configurable fields may support a drop-down list, long-text field, or type-ahead. For a type-ahead field, you must enter a minimum of three characters to view a list of available options. When selecting the configurable fields in the notification template, at a minimum, you must include the fields that are defined as mandatory in your ServiceNow implementation.
    In this example,
    Description
    is a long-text field, hence you can select and include the Prisma Cloud Alert Payload fields that you want in your ServiceNow Alerts. You must include a value for each field you select to make sure that it is included in the alert notification. See Alert Payload for details on the context you can include in alerts.
    To generate a ServiceNow Event, Message Key and Severity are required. The Message key determines whether to create a new alert or update an existing one, and you can map the Message Key to Account Name or to Alert ID based on your preference for logging Prisma Cloud alerts as a single alert or multiple alerts on ServiceNow. Severity is required to ensure that the event is created on ServiceNow and can be processed without error; without severity, the event is in an Error state on ServiceNow.
    For
    Number
    , use AlertID from the Prisma Cloud alert payload for ease of scanning and readability of incidents on ServiceNow. servicenow-notification-template-alert-id.png
    servicenow-notification-template-fields.png
  7. Click
    Next
    to go to the review pane and review your selection.
  8. Test
    and
    Save
    your changes.
    After you set up the integration and configure the notification template, Prisma Cloud uses this template to send alerts to your ServiceNow instance. When the communication is successful, the status of the integration is green on
    Settings
    Integrations
    . If the ServiceNow instance URL is unreachable or if your credentials are invalid, the status turns red. When a failure occurs, Prisma Cloud performs periodic checks to verify the connection status.
    The status, however, does not transition to red if:
    Prisma Cloud cannot resolve the alert or update an existing alert field for a deleted record or missing record on your ServiceNow instance.
    Prisma Cloud is unable to send a test message to ServiceNow because of an HTTP 404 error.

Interpret Error Messages

The following table displays the most common errors when you enable the ServiceNow integration on Prisma Cloud.
What is Wrong?
Error Message that Displays
The ServiceNow URL you entered is incorrect.
You must provide an IP address or an FQDN without the protocol http or https
invalid_snow_base_url
The ServiceNow URL you entered is invalid.
The FQDN is invalid it should be a valid host name or IP address.
invalid_snow_fqdn
The ServiceNow URL you entered is not reachable.
The FQDN provided is either not reachable or is an invalid ServiceNow instance.
snow_network_error
A required field is missing in the ServiceNow configuration.
Missing Required Field - {{param}}
missing_required_param, subject - {{param}}
Your ServiceNow username or password is not valid or is inaccurate.
Invalid Credentials
invalid_credentials
The ServiceNow permissions you have enabled are not adequate.
Required roles or Plugins is/are missing for {{table}}
missing_role_or_plugin, subject - {{table}}
The Notification template for this integration does not have adequate permissions.
Insufficient permission to read the field from {{table}} table
insufficient_permission_to_read, subject - {{table}}
Error Fetching Suggestions For {{table}}
error_fetching_fields_for, subject - {{table}}
The ServiceNow integration is not successfully configured.
Failed Service Now Test - {{reason}}
failed_service_now_test, subject - {{reason}}

View Alerts

Verify that the integration is working as expected. On the incidents view in ServiceNow, add the Created timestamp in addition to the same columns you enabled in the Prisma Cloud notification template to easily correlate alerts across both administrative consoles.
  1. Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to ServiceNow. (See Send Prisma Cloud Alert Notifications to Third-Party Tools.)
  2. Login to ServiceNow to view Prisma Cloud alerts.
    When alert states are updated in Prisma Cloud, they are automatically updated in the corresponding ServiceNow tickets.
    1. To view incidents (incident table), select
      Incidents
      .
      In ServiceNow, all the Open Prisma Cloud have an incident state of
      New
      and all the Resolved or Dismissed alerts have an incident state of
      Resolved
      .
      servicenow-alerts.png
    2. To view security incidents (sn_si_incident table), select
      Security Incidents
      .
      In ServiceNow, all the Open Prisma Cloud alerts have a state of
      Draft
      and all the Resolved or Dismissed alerts have a state of
      Review
      .
      servicenow-security-incidents-alerts.png
    3. To view event incidents (events table), select
      Event Management
      All Events
      .
      servicenow-event-incidents-alerts.png

Recommended For You