Configuring integration with ServiceNow
It is possible to send data from Cyberwatch to the ServiceNow solution using Integrations.
Cyberwatch offers Web Hook configuration on most of its pages, creating a button to interact with a remote resource over HTTPS.
As the ServiceNow API is fully open, the interconnection possibilities between the two solutions are extensive. The integration of Cyberwatch within a ServiceNow workflow is therefore seamless, and enables you to benefit of our functionalities within the ServiceNow ecosystem.
Concretely, this means, for example, that a Cyberwatch user can open a ServiceNow ticket requesting a software update with a single click. In this case, the user simply selects the patch proposed by Cyberwatch, and clicks on the integration trigger button.
Automate operation triggering via alerts
The triggering of integrations can be automated by our Alerts system. In this case, the condition of the trigger is tested daily, and executed when a new entity appears on one of the application’s pages.
Here, for example, you can schedule the creation of a ServiceNow ticket if one or more new CVEs are detected on your assets. To take this a step further, the alert trigger can be refined by filters, and a ticket will be created only if the new detected CVEs have a high CVSS score.
Guide to setting up an integration with ServiceNow
This section of the documentation is a guide to setting up the examples of integrations mentioned above.
If required, the ServiceNow documentation used here is available attached
Our first example is to use Cyberwatch to create a ServiceNow incident ticket requesting a software update, based on the CVEs associated with it.
Configuration of an integration allowing manual creation of a ServiceNow ticket
This integration is created from the Administration > Integrations page, by entering :
Custom
as integration templateHTTP hook
as the integration protocolServiceNow - Patch Request
as the nameAsset details - Patch management tab
as trigger locationhttps://instance.service-now.com/api/now/table/incident
as the request URL, replacing the valueinstance.service-now.com
with the access url to your ServiceNow instanceUse a self-signed certificate for the request
andUse proxy configuration for the request
if necessaryPOST
as the HTTP method of the requestThe contents below in the
Headers of the request
field, replacing<basic_chain>
with your base64-encodedusername:password
credentials:
{
"content-type": "Application/JSON",
"Authorization": "Basic <basic_chain>",
"Accept": "application/json"
}
- The
Body of the request
below, replacing the value of the propertycaller_id
with that of the incident creator:
{% capture cve_data %}
{% assign item_limit = 10 %}
{% assign sorted_cves = cves | sort: 'score' | reverse %}
{% for cve in sorted_cves limit: item_limit %}
- {{ cve.code }} (CVSS {{ cve.score }} / EPSS {{ cve.epss | times: 100 | round: 1 | append: " %" | escape }})#
{% endfor %}
{% endcapture %}
{
"short_description":"New asset update request {{ asset.name }}",
"caller_id":"6816f79cc0a8016401c5a33be04be441",
"comments":"Hello,\n\nThe {{ asset.name }} asset is affected by the following vulnerabilities:\n{{ cve_data | strip_newlines | split: '#' | join: '\n' }}.\n\nPlease update the following technologies:\n{% for item in technologies %}- {{ item.product }} into {% if item.target_version_string != '' %}{{ item.target_version_string }} version {% else %}last version{% endif %}\n{% endfor %}",
"urgency":"1",
"impact":"1"
}
To go further, you will find below how to automate the triggering of a Cyberwatch Web-Hook by associating it with an alert. In this case, a daily incident ticket is created with the list of new high priority CVEs detected on your assets.
Configuring ServiceNow integration triggered by an alert
This integration is created from the Administration > Integrations page, by entering :
Custom
as integration templateHTTP hook
as the integration protocolServiceNow - New high priority CVE
as the nameNone
as trigger locationhttps://instance.service-now.com/api/now/table/incident
as the request URL, replacing the valueinstance.service-now.com
with the access url to your ServiceNow instanceUse a self-signed certificate for the request
andUse proxy configuration for the request
if necessaryPOST
as the HTTP method of the requestThe contents below in the
Headers of the request
field, replacing<basic_chain>
with your base64-encodedusername:password
credentials:
{
"content-type": "Application/JSON",
"Authorization": "Basic <basic_chain>",
"Accept": "application/json"
}
- The
Body of the request
below, replacing the value of the propertycaller_id
with that of the incident creator:
{% capture cve_data %}
{% assign item_limit = 10 %}
{% assign sorted_cves = cves | sort: 'score' | reverse %}
{% for cve in sorted_cves limit: item_limit %}
- {{ cve.code }} (CVSS {{ cve.score }} / EPSS {{ cve.epss | times: 100 | round: 1 | append: " %" | escape }})#
{% endfor %}
{% endcapture %}
{
"short_description":"New high priority CVE",
"caller_id":"6816f79cc0a8016401c5a33be04be441",
"comments":"Hello,\n\nNew high priority vulnerabilities have been identified on your assets and deserve your attention:\n{{ cve_data | strip_newlines | split: '#' | join: '\n' }}",
"urgency":"1",
"impact":"1"
}
Then enter the following information when creating the associated alert:
ServiceNow alert - New high priority CVE
forName
Vulnerability Encyclopedia
forLocation
Select the
Status: Vulnerabilities present
,Status: Vulnerabilities present
andStatus: Priority vulnerabilities
filtersChoose the
ServiceNow - New high priority CVE
forIntegration