Comment on page
ServiceNOW Integration
9/2022
The Oort security platform can integrate with ServiceNOW to open tickets in response to failed Checks for various security configuration and identity threat events.
This document will walk you through the process of setting up access to ServiceNOW and will also walk you through the setup inside of the Oort console.
To add the necessary configuration in ServiceNOW, you need to have admin access to the following:
From the ServiceNOW admin console, select User Administration.
Create a new account for the Oort integration. Set the password according to your organization’s service account password policy and store it securely.
Check the Web service access only option.
Give it the incident_manager role.
Click Save.
Within the Oort console, navigate to -
Integrations -> New Integration -> ServiceNOW
Enter the following information:
Enter a name and description. Enter your ServiceNOW instance URL. It may be a custom URL if you have that configured. Enter the username and password of the account that you created.
Click Save.
To test the integration, navigate to a user that is failing a particular check, such as Inactive Users. Go to the Checks tab for that user.
Click the three dot option menu for a failing check and select Open Ticket. The ticket will appear in the lower section.
After testing successfully, click the Collect Now button to begin initial data collection immediately.
The following table shows an overview of JSON styled payload that will be sent from Oort out to ServiceNow
Field | Description |
|---|---|
login | end user login |
displayName | User's Display Name |
status | Status, such as Active or Inactive |
userTypeClassification | Valid values: INTERNAL, EXTERNAL, MISSING, UNCLASSIFIED, INCONSISTENT, SERVICE_ACCOUNT |
ipAddresses | Up to 5 IP addresses recently used by the user |
lastSignInLocation | Last geolocation the user signed in from |
managerLogin | Manager LoginID |
phoneNumber | Phone Number |
unusedApplications | Up to 2 applications the user is assigned to but not using |
usedApplications | Up to 5 applications used by the user |
usedFactors | Up to 5 factors used by the user |
[email protected] failing Oort Check: IP Threat Detected
User Details:
Display Name : Karsch Heuck
Login : [email protected]
Status : ACTIVE
Type : INTERNAL
Manager : N/A
Phone : N/A
Used IP Addresses : 2600:1017:b808:d190:4641:e114:b3a1:430a (US:New York:New York) 2601:280:5b7f:4cf0:d17a:44b4:6c75:4e4 (US:Arvada:Colorado) 50.229.84.62 (US:Stamford:Connecticut) 24.38.70.198 (US:Belleville:New Jersey) 198.55.26.62 (US:Stamford:Connecticut)
Used Applications : cisco asa vpn (burlington), Oort Corp Okta instance, logmein rescue, atlassian cloud, microsoft office 365 for simubiz
Unused Applications :
Used Factors : push, totp
Last Sign-in Location : US
Recommended Actions:
We recommend contacting the end-user to purge the machine originating the traffic. We only tag successful logins to reduce false positives.
See user in Oort:
https://dashboard.ci.oort.io/go?org=Hh8hsedcx4CqYJOp&type=users&login=karsch.heuck%40simubiz.com
Last modified 7mo ago