ServiceNow

Alert Logic Integration with ServiceNow allows you to:

  • Generate a ServiceNow Incident when Alert Logic detects a Security Incident or Security Observation
  • Generate a ServiceNow Incident when Alert Logic discovers new vulnerabilities.
  • Generate a ServiceNow Incident in response to a scheduled search or report execution.
  • Customize and enrich Alert Logic-generated output sent to ServiceNow by adding custom fields or applying jq transformations (https://stedolan.github.io/jq/)

Supported subscription types

  • Managed Detection and Response Essentials
  • Managed Detection and Response Professional
  • Alert Logic Cloud Defender

The types of notifications you can send to ServiceNow depend on your subscription type.

Architecture diagram

Click image to expand

Overview

  1. When Alert Logic generates an incident, observation, report, or other record, the Alert Logic Notification Service is notified.
  2. When there are active subscriptions that match notification criteria and use Integration as a notification target, the Integrations Service is called to deliver a notification to a target integration.
  3. The Integration Service applies any JSON transformations configured for a target Integration connection (in this example, ServiceNow).
  4. Integration Service executes HTTP POST request against target integration.
  5. Response status of HTTP POST is recorded and is accessible via audit trails.

Deployment and Configuration

Create a new integration for ServiceNow

To create an integration:

On the Integrations page, select ServiceNow under Ticketing Webhooks.

A screenshot of a cell phone Description automatically generated

Click image to expand

Provide the following details:

  1. Name of the integration connection
  2. ServiceNow target URL
  3. Alert Logic Data Type for which you plan to use this integration. Choose from Incident, Observation, Report, Scheduled Search, or Vulnerability.
  4. Provide the ServiceNow Authorization Header

    1. In your shell, type:

      Copy
      $: echo -n "IntegrationUserName:IntegrationUserPassword" | base64

      This will return base64 encoded credentials:

      Copy
      SW50ZWdyYXRpb25Vc2VyTmFtZTpJbnRlZ3JhdGlvblVzZXJQYXNzd29yZA==

    2. Enter the following in the Authorization Header field:

      Copy
      Basic: SW50ZWdyYXRpb25Vc2VyTmFtZTpJbnRlZ3JhdGlvblVzZXJQYXNzd29yZA==

  5. Payload is populated with recommended settings, but you can customize it by providing extra JSON fields that are either static or reference Data Type schema. Click on ‘View Sample Data’ to see Data Type schema.

    Click image to expand

  6. Optionally, you can also provide JQ transformation for the Data Type JSON.

    Click image to expand

  7. Click Test to test connection using Sample Payload
  8. Click Save to save the ServiceNow integration setup.

Create Notification

You can create an Incident notification. Other notifications work similarly.

To create a notification:

  1. Select the Notifications menu option under Manage.
  2. Click the add icon () and select Incidents.
  3. Provide Name and filter options for this notification.
  4. In the Recipients section, select the Subscribe Integration option.
  5. In the Notification Delivery section, select the ServiceNow integration you created.
  6. Click Save.

For more information about notifications, see Configure Notifications.

Best Practices

  1. Incidents—Alert Logic recommends you toggle Escalations on and only create tickets for high and critical incidents to start with. You can always add lower severity incidents later. If you do not toggle escalations on, you will receive incidents when they are created automatically and not after the SOC team analysizes it.
  2. Vulnerabilities—Select to group by remediations and leveraging asset groups.

Validation and Troubleshooting

If the provided credentials are no longer valid, Alert Logic creates a remediation.