ServiceNow logo

Configuring integration with ServiceNow

It is possible to send data from Cyberwatch to the ServiceNow solution using Integrations.

Cyberwatch offers Web Hook configuration on most of its pages, creating a button to interact with a remote resource over HTTPS.

As the ServiceNow API is fully open, the interconnection possibilities between the two solutions are extensive. The integration of Cyberwatch within a ServiceNow workflow is therefore seamless, and enables you to benefit of our functionalities within the ServiceNow ecosystem.

Concretely, this means, for example, that a Cyberwatch user can open a ServiceNow ticket requesting a software update with a single click. In this case, the user simply selects the patch proposed by Cyberwatch, and clicks on the integration trigger button.

Automate operation triggering via alerts

The triggering of integrations can be automated by our Alerts system. In this case, the condition of the trigger is tested daily, and executed when a new entity appears on one of the application’s pages.

Here, for example, you can schedule the creation of a ServiceNow ticket if one or more new CVEs are detected on your assets. To take this a step further, the alert trigger can be refined by filters, and a ticket will be created only if the new detected CVEs have a high CVSS score.

Guide to setting up an integration with ServiceNow

This section of the documentation is a guide to setting up the examples of integrations mentioned above.

If required, the ServiceNow documentation used here is available attached

Our first example is to use Cyberwatch to create a ServiceNow incident ticket requesting a software update, based on the CVEs associated with it.

Configuration of an integration allowing manual creation of a ServiceNow ticket

This integration is created from the Administration > Integrations page, by entering :

  • Custom as integration template;

  • HTTP hook as the integration protocol;

  • ServiceNow - Patch Request as the name;

  • Asset details - Patch management tab as trigger location;

  • https://instance.service-now.com/api/now/table/incident as the request URL, replacing the value instance.service-now.com with the access url to your ServiceNow instance;

  • Use a self-signed certificate for the request and Use proxy configuration for the request if necessary;

  • POST as the HTTP method of the request;

  • The contents below in the Headers of the request field, replacing <basic_chain> with your base64-encoded username:password credentials:

{
  "content-type": "Application/JSON",
  "Authorization": "Basic <basic_chain>",
  "Accept": "application/json"
}
  • The Body of the request below, replacing the value of the property caller_id with that of the incident creator:
{% capture cve_data %}
{% assign item_limit = 10 %}
{% assign sorted_cves = cves | sort: 'score' | reverse %}
{% for cve in sorted_cves limit: item_limit %}
- {{ cve.code }} (CVSS {{ cve.score }} / EPSS {{ cve.epss | times: 100 | round: 1 | append: " %" | escape }})#
{% endfor %}
{% endcapture %}
{
   "short_description":"New asset update request {{ asset.name }}",
   "caller_id":"6816f79cc0a8016401c5a33be04be441",
   "comments":"Hello,\n\nThe {{ asset.name }} asset is affected by the following vulnerabilities:\n{{ cve_data | strip_newlines | split: '#' | join: '\n' }}.\n\nPlease update the following technologies:\n{% for item in technologies %}- {{ item.product }} into {% if item.target_version_string != '' %}{{ item.target_version_string }} version {% else %}last version{% endif %}\n{% endfor %}",
   "urgency":"1",
   "impact":"1"
}

To go further, you will find below how to automate the triggering of a Cyberwatch Web-Hook by associating it with an alert. In this case, a daily incident ticket is created with the list of new high priority CVEs detected on your assets.

Configuring ServiceNow integration triggered by an alert

This integration is created from the Administration > Integrations page, by entering :

  • Custom as integration template;

  • HTTP hook as the integration protocol;

  • ServiceNow - New high priority CVE as the name;

  • None as trigger location;

  • https://instance.service-now.com/api/now/table/incident as the request URL, replacing the value instance.service-now.com with the access url to your ServiceNow instance;

  • Use a self-signed certificate for the request and Use proxy configuration for the request if necessary;

  • POST as the HTTP method of the request;

  • The contents below in the Headers of the request field, replacing <basic_chain> with your base64-encoded username:password credentials:

{
  "content-type": "Application/JSON",
  "Authorization": "Basic <basic_chain>",
  "Accept": "application/json"
}
  • The Body of the request below, replacing the value of the property caller_id with that of the incident creator:
{% capture cve_data %}
{% assign item_limit = 10 %}
{% assign sorted_cves = cves | sort: 'score' | reverse %}
{% for cve in sorted_cves limit: item_limit %}
- {{ cve.code }} (CVSS {{ cve.score }} / EPSS {{ cve.epss | times: 100 | round: 1 | append: " %" | escape }})#
{% endfor %}
{% endcapture %}
{
   "short_description":"New high priority CVE",
   "caller_id":"6816f79cc0a8016401c5a33be04be441",
   "comments":"Hello,\n\nNew high priority vulnerabilities have been identified on your assets and deserve your attention:\n{{ cve_data | strip_newlines | split: '#' | join: '\n' }}",
   "urgency":"1",
   "impact":"1"
}

Then enter the following information when creating the associated alert:

  • ServiceNow alert - New high priority CVE for Name;

  • Vulnerability Encyclopedia for Location;

  • Select the Status: Vulnerabilities present, Status: Vulnerabilities present and Status: Priority vulnerabilities filters;

  • Choose the ServiceNow - New high priority CVE for Integration.

Back to top