Begin Scanning a ServiceNow App

Learn how to add a ServiceNow app so that SaaS Security API can protect your assets against data exfiltration and malware propagation.
To connect ServiceNow to SaaS Security API and begin scanning files and folders, you need to:
  • Ensure that you have an ServiceNow account with has sufficient privileges.
  • Grant SaaS Security API access to ServiceNow.
  • Add the ServiceNow app to SaaS Security API, providing SaaS Security API information about your ServiceNow.
For information on which automated remediation capabilities SaaS Security API supports with ServiceNow, refer to Supported Content, Remediation and Monitoring.

Add ServiceNow App

In order for SaaS Security API to scan assets, you must consent to specific permissions during the course of adding the ServiceNow app. Without the requested permissions, SaaS Security API cannot authenticate with ServiceNow and cannot scan assets, even after you successfully install the ServiceNow app.
  1. (
    Recommended
    ) Add your ServiceNow app domain as an internal domain.
  2. Register SaaS Security API in the ServiceNow management console.
    1. Log in to the ServiceNow management console as admin.
    2. Select
      System OAuth
      Application Registry
      .
    3. Select
      New
      Create an OAuth API endpoint for external clients
      .
    4. Enter a unique
      Name
      for SaaS Security API.
    5. If you are using the Istanbul (or higher) release, enter a
      Redirect URI/URL
      . The redirect you enter depends on the SaaS Security API location:
      For North America, use:
      https://app.aperture.paloaltonetworks.com/auth/servicenow/callback
      For Europe, use:
      https://app.aperture-eu.paloaltonetworks.com/auth/servicenow/callback
      For Asia-Pacific, use:
      https://app.aperture-apac.paloaltonetworks.com/auth/servicenow/callback
    6. Submit
      your changes.
  3. Add the ServiceNow app on SaaS Security API.
    1. From the
      Dashboard
      , click
      Add a Cloud App
      , and select
      ServiceNow
      .
    2. Select one of the following:
      • Connect to ServiceNow Account
        —Select this option if you’re using an earlier release of ServiceNow (Fuji, Geneva, or Helsinki).
      • Istanbul or higher
        —Select this option is you are using the ServiceNow Istanbul (or higher) release.
    3. Log in to the ServiceNow app.
      • For Istanbul or higher, enter the
        ServiceNow URL
        (for example,
        https://acmecorp.service-now.com/
        ),
        Client ID
        , and
        Client Secret
        .
      • For earlier releases (Fuji, Geneva, or Helsinki) enter the
        ServiceNow URL
        (for example,
        https://acmecorp.service-now.com/
        ),
        Client ID
        , and
        Client Secret
        . Also, enter the
        Username
        and
        Password
        for your ServiceNow account.
      You can copy the client ID and client secret from the
      System OAuth
      Application Registry
      page in the ServiceNow management console.
    4. Click
      OK
      .
    5. Allow
      SaaS Security API access to the ServiceNow account.
      After authentication, the new ServiceNow app is added to the list of Cloud Apps as ServiceNow n, where n represents the number of ServiceNow app instances you have connected to SaaS Security API. The instance displays a list of available tables.
  4. Next Step
    : Proceed to Customize ServiceNow App.

Customize ServiceNow App

Customizations include modifying ServiceNow app name.
  1. (
    Optional
    ) Give a descriptive name to this app instance.
    1. Go to
      Settings
      and select the ServiceNow n instance listed.
    2. Enter a descriptive
      Name
      to differentiate this instance of ServiceNow from other instances.
  2. (
    Recommended
    ) Enter an
    Admin UserName
    (for example,
    admin@servicenow.com
    ).
    As a best practice, create a separate administrator account and use that email address for SaaS Security API. If you opt to use an existing admin account instead of a new account, the administrator activities are not tracked on SaaS Security API. Creating a separate account enables you to monitor events generated by ServiceNow administrators on
    Explore
    Activities
    .
  3. Click
    Done
    to save your changes.
  4. Next Step
    : Proceed to Identify Risks.

Identify Risks

When you add a new cloud app, then enable scanning, SaaS Security API automatically scans the cloud app against the default data patterns and displays the match occurrences. You can take action now to improve your scan results and identify risks.
  1. Start scanning the new ServiceNow app for risks.
  2. During the discovery phase, as SaaS Security API scans files and matches them against enabled policy rules, verify that your default policy rules are effective. If the results don’t capture all risks or you see false positives, proceed to next step to improve your results.
  3. (
    Optional
    ) Modify match criteria for existing policy rules.
  4. (
    Optional
    ) Add new policy rules.
    Consider the business use of your cloud app, then identify risks unique to your enterprise. As necessary, add new:
  5. (
    Optional
    ) Configure or edit a data pattern.
    You can Configure Data Patterns to identify specific strings of text, characters, words, or patterns to make it possible to find all instances of text that match a data pattern you specify.

Tables Scanned by DLP

The DLP service scans the following database tables on ServiceNow. To enforce best practice, the SaaS Security web interface does not allow you to add or remove database tables from scans: SaaS administrators need to consult with the Database Administrator prior to adding or removing tables from scans. After consulting with your Database Administrator, contact Palo Alto Networks Customer Support to manually add or remove a table.
If ServiceNow does not expose a given database table, the DLP service cannot scan it.
change_phase
change_request
change_request_imac
change_task
cmdb
incident
incident_task
kb_knowledge
kb_submission
problem
problem_task
release_phase
release_task
task
ticket
sc_req_item
sc_request
sc_task
sn_hr_core_beneficiary
sn_hr_core_benefit
sn_hr_core_benefit_provider
sn_hr_core_benefit_type
sn_hr_core_bonus
sn_hr_core_case
sn_hr_core_case_operations
sn_hr_core_case_payroll
sn_hr_core_case_relations
sn_hr_core_case_talent_management
sn_hr_core_case_total_rewards
sn_hr_core_case_workforce_admin
sn_hr_core_direct_deposit
sn_hr_core_op_report
sn_hr_core_op_report_frequency
sn_hr_core_op_report_type
sn_hr_core_op_system
sn_hr_core_op_system_to_report_type
sn_hr_core_profile_bank_account
sn_hr_core_retirement_benefit
sn_hr_core_task
sn_hr_core_tuition_reimbursement
sn_si_incident
sn_si_request
sn_si_task
sysapproval_group

Recommended For You