ServiceNow Incident Management Integration with Zero Trust Alerts

• Ransomware Defender & Easy Auditor ServiceNow Webhook alarm to Incident Integration
• Support Statement
• How to Configure
• Sample Scripted REST API Webhook
• Steps to use the endpoint with Defender Webhooks
• Production Integration Steps
• Example Incident Created with Zero Trust Webhook and ServiceNow Scripted REST API Capability
• How to Convert an Incident to a Security Incident and Update the list of Affected Share CI's from ServiceNow's CMDB

Ransomware Defender & Easy Auditor ServiceNow Webhook alarm to Incident Integration

 Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

How to Configure

1. This integration examples shows how to configure Ransomware Defender Webhook alarms to create an incident in ServiceNow and include the details of the alert in the description.  NOTE This is a basic example only and would need to be customized further to map fields in the webhook payload to specific ServiceNow fields.   
2. Using this guide (How to Integrate Webhooks Into ServiceNow) create a ServiceNow Scripted Rest Resource Webhook
   1. Example Scripted REST
      1. 
         
      2. In the script section

Sample Scripted REST API Webhook

Features

1. Creates new incidents
2. Updates incidents when the event ID matches an existing incident, this allows different status updates on an event in security edition to update the working notes in service now to show the history and state changes of the event.
3. If monitor mode is enabled,  the incident will be created but closed with the history showing the work notes.  This feature allows monitor mode customers to test the integration without creating open incidents in ServiceNow
4. Download the code here.
5. Open the file and copy and paste the script text to the endpoint script editor.

See example below

Steps to use the endpoint with Defender Webhooks

1. Save the Resource script after you paste it
2. Disable Security for testing.
   1.   
3. Get the endpoint url for the webhook in Defender
   1. The resource would be https://yourInstance.service-now.com/<resource_Path> 
   2. In this example the resource path is displayed in the editor
   3.  
4. Configure the Webhook in Ransomware Defender Zero Trust UI 
   1. See guide above for more details
   2. Non authenticated - See below with headers section added for Content-Type and value application/json
   3.   
   4. If using authenticated endpoints add an additional HTTP Header using Authorization key and Basic xxxxxx , where xxxxx is the api key provided by ServiceNow.
   5.  
5. Save and click the test button
6. If successfully configured you will receive an Incident number back see below.
7.  
8. Done

Production Integration Steps

1. The code sample above includes logic to extract variables from the payload of the Zero trust Ransomware Defender and maps the Severity fields in the Superna alarm to map to the ServiceNow Impact and Urgency incident fields.   This code can be modified to change the mapping as required.
2. The short description was used to summarize the key data in Security events.  This can also be customized further.

Example Incident Created with Zero Trust Webhook and ServiceNow Scripted REST API Capability

1.  
2. Incident details
   1.  

How to Convert an Incident to a Security Incident and Update the list of Affected Share CI's from ServiceNow's CMDB

Overview

Customers that have invested in Security Incident Response module in their ServiceNow instance can convert ZeroTrust incidents into security incidents and assign CI's for the affected SMB or NFS exports on the PowerScale or other storage cluster.       This allows customers to fully leverage the Superna ZeroTrust Incident integration and the ServiceNow CMDB integration for a complete service to security workflow enabled solution.

Requirements

1. Configured Zero Trust webhook integration
2. Installed ServiceNow Security Incident and Response module

How to Convert an Incident to a Security Incident

1. View the incident created by the ZeroTrust Webhooks script integration
2. The button on the right will convert the incident to a security incident.  Notice the business rules that executed and the new SIR id assigned to Jay Wang Security Analyst.
3.  
4. Now Click on the SIR xxx number to view the new Security Incident
5.  

How to Update Affected CI's to indicate the scope of the Security Incident

1. Open the Security Incident Dashboard or the SIR itself
2.  
3. Security Incident fields can be filled in from the description information  
   1.  
   2. Copy affected User field to the Affected User SIR field, if your Active Directory users are synced to Servicenow you can search for the user to select from the list.
   3. Copy the affected SMB share name from the short description to lookup the affected SMB share CI in the CMDB (the CMDB integration must be completed)
      1.  
      2. Click Add
         1. Search for the SMB share name listed in the short description of the Security Incident
         2.  
         3.  
      3.