ServiceNow Security Operations Incident Integration with Zero Trust Alerts and Airgap support

• Security Edition ServiceNow Security Operations Zero Trust Security Incident Integration
• Support Statement
• Overview
• Supported Products
• Architecture Overview
• How to Configure
• Integration Script
• Features
• Steps to integration the endpoint with Security Edition Integration code
• How to test the integrations ability to create security incidents
• Sample Security Incident Created with Zero Trust Webhook and ServiceNow Scripted REST API Integration
• How to Configure Data Security Essentials
• Overview
• Requirements
• Features
• Steps to Configure Event Sync to ServiceNow Security Incident Response module

Security Edition ServiceNow Security Operations Zero Trust Security Incident Integration

 Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Overview

This solution will create a security incident in Security Operations module within ServiceNow for customers that have this module installed and perform incident response from this module for their security operations.

Supported Products

1. Data Security Edition
2. Data Security Edition Essentials

Architecture Overview

How to Configure

1. This integration examples shows how to configure Security Edition Webhook alarms to create an incident in ServiceNow and include the details of the alert in the description.  NOTE This is a basic example only and would need to be customized further to map fields in the webhook payload to specific ServiceNow fields.   
2. Using this guide (How to Integrate Webhooks Into ServiceNow) create a ServiceNow Scripted Rest Resource Webhook
   1. Example Scripted REST
      1. 
         
      2. In the script section

Integration Script

Features

1. Creates new security incidents in Security Operations workspace
2. Supports Airgap Alarm webhook processing
3. Updates security incidents when the event ID from Superna Security Edition matches an existing incident, this allows different status updates on an event in security edition to update the working notes in servicenow to show the history and state changes of the event.   The Activity of the SIR will be updated with state changes for the same EventID
4. If monitor mode is enabled,  the incident will be created but closed with the history showing the work notes.  This feature allows monitor mode customers to test the integration without creating open incidents in ServiceNow
5. CMBD Features:
   1. Creates a new user object if needed and associates the affected user property to the SIR to show the impacted user account.
   2. Creates a new computer CI class with ip address populated, description set  to indicate why this CI was created, name is NAS connected host.
   3. The integration code will only create a CI if the search for a CI with the affected client IP is not found.
   4. The user and host are associated to the Security Incident.
   5. This allows integration with other tools that use the client ip or user name fields for other automations.
6. Download the code for Security Operations Integration here.
7. Open the file and copy and paste the script text to the endpoint script editor.

See example below

Steps to integration the endpoint with Security Edition Integration code

1. Save the Resource script after you paste it
2. Disable Security for testing.
   1. 
3. Get the endpoint url for the webhook in Security Edition
   1. The resource would be https://yourInstance.service-now.com/<resource_Path> 
   2. In this example the resource path is displayed in the editor
   3. 
4. Configure the Webhook in Security Edition Zero Trust UI 
   1. See guide above for more details,
   2. OPTIONAL If enabling support for Airap Cyber Vault webhook processing, Open Eyeglass Main menu --> Notification center --> Webhooks and use the same endpoint url configured below and headers.
   3. Non authenticated - See below with headers section added for Content-Type and value application/json
   4. 
   5. If using authenticated endpoints add an additional HTTP Header using Authorization key and Basic xxxxxx , where xxxxx is the api key provided by ServiceNow.
   6. 
5. Save and click the test button
6. If successfully configured you will receive an Incident number back see below.
7. 
8. Done

How to test the integrations ability to create security incidents

1. Download this curl command and edit the url to match your service-now instance DNS name and the resource path configured on the scripted endpoint.
2. Run this curl command to send a webhook payload lockout critical event to the endpoint.   Then look in the dashboard for a new security incident.
3. Download curl command sample here.

Sample Security Incident Created with Zero Trust Webhook and ServiceNow Scripted REST API Integration

1. 
2. Security Incident details
   1. 
   2. 
   3. 
   4. Airgap Incident creation with alarm description within the body of the incident. 
      1. 
      2. 
      3. 

How to Configure Data Security Essentials

Overview

Data Security Essentials saves alerts to the Windows Event log to a custom application log.   This integration will extract the log entries and the json payload contained within them and format as webhook data to send to ServiceNow Scripted Endpoint.

Requirements

1. Follow the ServiceNow integration steps above to configure the Scripted REST API endpoint
2. Install python for Windows on the Data Security Essentials host and allow the installation to add python to the path variable. https://www.python.org/downloads/windows/
   1. NOTE: Ensure it's installed for all users so service accounts have access, by enabling for all users during installation.
3. The integration code matches event log entries from Custom trigger BOT policies and File management policies
   1. The event log source names are below 
      1. Superna Data Security Essentials BOT Service
      2. Superna Data Security Policy Engine 

Features

1. Logs for each execution are stored in the path below along with the python code. 
   1.  
2. Each execution will store the event log record ID and date time and event number of the last processed event in a file called last_processed_record.txt.  This file is read on each execution to continue processing from last record.  The record number is not visible in EventViewer, the date time and event number can be used to understand where in the log the last processing occured.
3. The schedule sync runs every minute and only processes events since the last record and logs all processing as well as matches in the log file.
4. Only Warning or higher level of events are processed, informational events are ignored.
5. The ServiceNow Scripted endpoint code will update SIR incidents when the eventID generated by Data Security Essentials.  

Steps to Configure Event Sync to ServiceNow Security Incident Response module

1. Download the integration code from here.
2. Modify the python and update the servicenow endpoint url at the bottom of the file.
   1. Locate this section # Your ServiceNow webhook details
   2. Edit the url to match your servicenow instance url and the Scripted Webhook url created in the steps above.
3. Copy the Python code into C:\Program Files\Superna\cgi-bin on the Data Security Essentials host and name the file dse-servicenow-sir-integration.py
4. Install python dependancies
   1. MANDATORY Step: Open a command prompt as the service account (hold down shift and right click the command prompt icon) run as  option to login as the service account dse-service.  This is required to install the python packages under the correct user account.
   2. Install the dependencies with this command
      1. pip install pywin32 requests
   3. This command installs the windows API python libraries needed to read the event log.
5. Test the script can correctly reach your servicenow instance from a dos prompt
   1. cd C:\Program Files\Superna\cgi-bin
   2. python  dse-servicenow-sir-integration.py
      
   3. The output should display event log entries that match  and  will ignore Information level events.  It will display the event payload details in json format and will show the data that was sent to the servicenow endpoint.    The endpoint code will only map a subset of the overall data into the SIR incident.
   4. Example output
      1.  
6. Steps to Schedule sync alerts into ServiceNow Security Incidents 
   1. Open secpol.msc, Local policies
   2. Give the Data security essentials AD service account the  "Logon as a batch job"  OS permission.
   3.   
   4. Create a file 
7. Right click this link to save to a file. The task scheduler XML file to import into Task Scheduler
8. Open Task Scheduler
   1. Run taskschd.msc, right click task schedule library 
   2.   
   3. Import the xml file
   4. You will be prompted with the task definition, you will need to change the service account to match your service account name and domain and re-enter the password to save the task scheduler.  All other settings are configured and match the path and settings used above.  Adjust any parameters that you changed if you did not use all the steps above. 
      1.   
   5.