# ServiceNOW

## Overview <a href="#overview" id="overview"></a>

The Oort security platform can integrate with ServiceNOW to open tickets in response to failed Checks for various security configuration and identity threat events.

This document will walk you through the process of setting up access to ServiceNOW and will also walk you through the setup inside of the Oort console.

### ServiceNOW Configuration <a href="#servicenow--configuration" id="servicenow--configuration"></a>

To add the necessary configuration in ServiceNOW, you need to have admin access to the following:

From the ServiceNOW admin console, select **User Administration**.&#x20;

<figure><img src="https://oort-docs-site.netlify.app/static/b68977b3c8bc6bc711c4c6abf18b350e/9f82e/2022-09-18_15-53-23.png" alt=""><figcaption></figcaption></figure>

Create a new account for the Oort integration.  Set the password according to your organization’s service account password policy and store it securely.

Check the **Web service access only** option.

<figure><img src="https://oort-docs-site.netlify.app/static/a5022dacc6647af846fa4a6ce88f2bff/be86f/2022-09-18_16-01-14.png" alt=""><figcaption></figcaption></figure>

Give it the **incident\_manager** role.  &#x20;

<figure><img src="https://oort-docs-site.netlify.app/static/0dea3b1e89a87a6413523f88155729fc/3c024/2022-09-18_16-02-33.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://oort-docs-site.netlify.app/static/0c78291641f015c4ae81269dd2ea4869/1d69c/2022-09-18_16-02-50.png" alt=""><figcaption></figcaption></figure>

Click **Save**. &#x20;

### Oort Configuration <a href="#oort-configuration" id="oort-configuration"></a>

Within the Oort console, navigate to -

**Integrations -> New Integration -> ServiceNOW**

Enter the following information:

![2022 09 18 16 08 55](https://oort-docs-site.netlify.app/static/228138af0a2802e4cf8d0666eed90c5f/9f82e/2022-09-18_16-08-55.png)

Enter a name and description. Enter your ServiceNOW instance URL. It may be a custom URL if you have that configured. Enter the username and password of the account that you created.

Click **Save.**

To test the integration, navigate to a user that is failing a particular check, such as Inactive Users. Go to the **Checks** tab for that user.

Click the **three dot option menu** for a failing check and select **Open Ticket**. The ticket will appear in the lower section.

<figure><img src="https://oort-docs-site.netlify.app/static/4f10afa784012320a234c7f3801c56dd/9f82e/2022-09-18_16-14-36.png" alt=""><figcaption></figcaption></figure>

After testing successfully, click the **Collect Now** button to begin initial data collection immediately.

### Data Payload Details

The following table shows an overview of JSON styled payload that will be sent from Oort out to ServiceNow

<table><thead><tr><th>Field</th><th>Description</th><th data-hidden>Type</th><th data-hidden>Is Required</th></tr></thead><tbody><tr><td>login</td><td>end user login</td><td>string</td><td>true</td></tr><tr><td>displayName</td><td>User's Display Name</td><td>string</td><td>true</td></tr><tr><td>status</td><td>Status, such as <code>Active</code> or <code>Inactive</code></td><td>string</td><td>true</td></tr><tr><td>userTypeClassification</td><td>Valid values: <code>INTERNAL</code>, <code>EXTERNAL</code>, <code>MISSING</code>, <code>UNCLASSIFIED</code>, <code>INCONSISTENT</code>, <code>SERVICE_ACCOUNT</code></td><td>string</td><td>true</td></tr><tr><td>ipAddresses</td><td>Up to 5 IP addresses recently used by the user</td><td>list of IP addresses along with geo location</td><td>false</td></tr><tr><td>lastSignInLocation</td><td>Last geolocation the user signed in from</td><td>city, country, state if available</td><td>false</td></tr><tr><td>managerLogin</td><td>Manager LoginID</td><td>string</td><td>false</td></tr><tr><td>phoneNumber</td><td>Phone Number</td><td>string</td><td>false</td></tr><tr><td>unusedApplications</td><td>Up to 2 applications the user is assigned to but not using</td><td>CSV</td><td>false</td></tr><tr><td>usedApplications</td><td>Up to 5 applications used by the user</td><td>CSV</td><td>false</td></tr><tr><td>usedFactors</td><td>Up to 5 factors used by the user</td><td>CSV string</td><td>false</td></tr></tbody></table>

### Example Ticket Description with End User Digest

```
karsch.heuck@simubiz.com failing Oort Check: IP Threat Detected
User Details:
Display Name          : Karsch Heuck
Login                 : karsch.heuck@simubiz.com
Status                : ACTIVE
Type                  : INTERNAL
Manager               : N/A
Phone                 : N/A
Used IP Addresses     : 2600:1017:b808:d190:4641:e114:b3a1:430a (US:New York:New York) 2601:280:5b7f:4cf0:d17a:44b4:6c75:4e4 (US:Arvada:Colorado) 50.229.84.62 (US:Stamford:Connecticut) 24.38.70.198 (US:Belleville:New Jersey) 198.55.26.62 (US:Stamford:Connecticut) 
Used Applications     : cisco asa vpn (burlington), Oort Corp Okta instance, logmein rescue, atlassian cloud, microsoft office 365 for simubiz
Unused Applications   : 
Used Factors          : push, totp
Last Sign-in Location : US


Recommended Actions:
We recommend contacting the end-user to purge the machine originating the traffic. We only tag successful logins to reduce false positives.

See user in Oort:
https://dashboard.ci.oort.io/go?org=Hh8hsedcx4CqYJOp&type=users&login=karsch.heuck%40simubiz.com

```