ServiceNOW Integration

9/2022

Overview

The Oort security platform can integrate with ServiceNOW to open tickets in response to failed Checks for various security configuration and identity threat events.

This document will walk you through the process of setting up access to ServiceNOW and will also walk you through the setup inside of the Oort console.

ServiceNOW Configuration

To add the necessary configuration in ServiceNOW, you need to have admin access to the following:

From the ServiceNOW admin console, select User Administration.

Create a new account for the Oort integration. Set the password according to your organization’s service account password policy and store it securely.

Check the Web service access only option.

Give it the incident_manager role.

Click Save.

Oort Configuration

Within the Oort console, navigate to -

Integrations -> New Integration -> ServiceNOW

Enter the following information:

Enter a name and description. Enter your ServiceNOW instance URL. It may be a custom URL if you have that configured. Enter the username and password of the account that you created.

Click Save.

To test the integration, navigate to a user that is failing a particular check, such as Inactive Users. Go to the Checks tab for that user.

Click the three dot option menu for a failing check and select Open Ticket. The ticket will appear in the lower section.

After testing successfully, click the Collect Now button to begin initial data collection immediately.

Data Payload Details

The following table shows an overview of JSON styled payload that will be sent from Oort out to ServiceNow

Field Description

Field	Description
login	end user login
displayName	User's Display Name
status	Status, such as `Active` or `Inactive`
userTypeClassification	Valid values: `INTERNAL`, `EXTERNAL`, `MISSING`, `UNCLASSIFIED`, `INCONSISTENT`, `SERVICE_ACCOUNT`
ipAddresses	Up to 5 IP addresses recently used by the user
lastSignInLocation	Last geolocation the user signed in from
managerLogin	Manager LoginID
phoneNumber	Phone Number
unusedApplications	Up to 2 applications the user is assigned to but not using
usedApplications	Up to 5 applications used by the user
usedFactors	Up to 5 factors used by the user

end user login

displayName

User's Display Name

status

Status, such as Active or Inactive

userTypeClassification

Valid values: INTERNAL, EXTERNAL, MISSING, UNCLASSIFIED, INCONSISTENT, SERVICE_ACCOUNT

ipAddresses

Up to 5 IP addresses recently used by the user

lastSignInLocation

Last geolocation the user signed in from

managerLogin

Manager LoginID

phoneNumber

Phone Number

unusedApplications

Up to 2 applications the user is assigned to but not using

usedApplications

Up to 5 applications used by the user

usedFactors

Up to 5 factors used by the user

Example Ticket Description with End User Digest

karsch.heuck@simubiz.com failing Oort Check: IP Threat Detected
User Details:
Display Name          : Karsch Heuck
Login                 : karsch.heuck@simubiz.com
Status                : ACTIVE
Type                  : INTERNAL
Manager               : N/A
Phone                 : N/A
Used IP Addresses     : 2600:1017:b808:d190:4641:e114:b3a1:430a (US:New York:New York) 2601:280:5b7f:4cf0:d17a:44b4:6c75:4e4 (US:Arvada:Colorado) 50.229.84.62 (US:Stamford:Connecticut) 24.38.70.198 (US:Belleville:New Jersey) 198.55.26.62 (US:Stamford:Connecticut) 
Used Applications     : cisco asa vpn (burlington), Oort Corp Okta instance, logmein rescue, atlassian cloud, microsoft office 365 for simubiz
Unused Applications   : 
Used Factors          : push, totp
Last Sign-in Location : US


Recommended Actions:
We recommend contacting the end-user to purge the machine originating the traffic. We only tag successful logins to reduce false positives.

See user in Oort:
https://dashboard.ci.oort.io/go?org=Hh8hsedcx4CqYJOp&type=users&login=karsch.heuck%40simubiz.com

PreviousSendGrid Integration NextSlack Notification Integration

Last updated 1 year ago