ServiceNow Security Incident Alerts

ServiceNow Security Incidents are security issues, like threats or vulnerabilities, within an organization that are managed through a structured, automated response workflow. This is an example of extending the existing ServiceNow xMatters application to ingest alerts, prioritize issues using intelligent workflows and automation, and provides on-call notifications for investigation and remediation. xMatters helps to contain, eradicate, and recover from security events, minimizing impact by coordinating responses across IT and security teams

Pre-Requisites

• ServiceNow Instance with Security Incidents Enabled
• Have the Everbridge Flow Designer app installed and configured in your ServiceNow instance
• Follow instructions and complete setup steps: Prepare ServiceNow, Configure xMatters, and Configure the Everbridge Flow Designer app in ServiceNow
• xMatters account - If you don't have one, get one!
• ServiceNow API User with sn_si.admin role since the integration is reading and writing to the Security incident table.

Files

• ServiceNow Security Incident Alert.zip - The workflow zip for ServiceNow Security Incident Alerts.
• ServiceNow Update Set - The update set which includes the Business rule

How it works

When a new Security Incident of a certain priority gets created, ServiceNow will trigger the business rule to send all the previous and current values of all the columns within the Security Incident table to the Everbridge Flow Designer app to then trigger an xMatters workflow. When the workflow is triggered, an on-call notification will be triggered to the assignment group and/or to the default recipients configured in the Trigger Profile in the app.

Installation

xMatters set up

1. Login to xMatters, navigate to the Workflow tab and import the ServiceNowSecurityIncidentAlert.zip workflow. Details here
2. Click on the ServiceNow Security Incident Alert workflow and then click the Flow Designer tab. Click on the Security Incidents canvas and then double click the ServiceNow Record Alerts Security Incident [sn_si_incident] Trigger step.
3. Click into the Endpoint Tab in the Trigger and set up your ServiceNow endpoint following these instructions.
4. In the Endpoint Tab, if you don't see the "Security Incident" table, double check the ServiceNow API user has the sn_si.admin rol. Confirm ServiceNow table "Security Incident [sn_si_incident]" is selected.

5. Click the Settings tab, select Basic Authentication, copy the URL and keep for future reference.

ServiceNow set up

If you have already imported the ServiceNow XML update set skip to Step 8. To manually create a business rule, follow the steps below.

1. Navigate to System Definitions > Business Rules
2. Create a new Business Rule
   • Name: Enter a name for your business rule (i.e xMatters Security Incident Alerts)
   • Application: Everbridge Flow Designer
   • Table: Security Incident [sn_si_incident]
   • Enable Active
   • Enable Advanced

3. Under "When to run" tab
   • When: Before
   • Order: 100
   • Enable Insert
   • Enable Update
   • Add filter conditions as shown in image below

4. Open "Advanced" tab; copy and paste the script below Make note of the triggerProfile value. The name will be used in step 9.

   (function executeRule(current, previous /*null when async*/) {
   
    // Set up config
    let myConfig = {
    "triggerProfile": "Security Incident",// N.B.Matches name in Trigger Profile
    "signalMode": "State",
    "alertPriority": "Medium"
    };
   
    // Overwrite signalMode for Assignment
    if (current.operation()=='update' && current.assignment_group.changes()){
    	myConfig.signalMode=='Assignment';
    }
   
    // Overwrite xMatters alert priority
    if (current.priority==1){
    	myConfig.alertPriority=='High';
    }
   
    // Call Everbridge Flow Designer client, passing in the config
    let FlowDesignerClient = new x_xma_eb_fd.EBClient(config = myConfig);
    FlowDesignerClient.triggerWorkflow(current, previous);
    })(current, previous);
   

5. Click "Submit" to save the business rule

6. Navigate to System Applications > Application Cross-Scope Access

7. Create new cross scope privilege with the values in the screenshot

8. Navigate to Everbridge Flow Designer > Global Settings > Trigger Profiles
9. Click Create New
   • Name: The Trigger Profiles' name must match the "triggerProfile" value from step 4 (i.e Security Incident)
   • Credentials: Select the correct xMatters user credentials configured for the integration. This will enable a dropdown menu for the Workflow
   • Workflow: Select "ServiceNow Security Incident Alert" workflow
   • Trigger URL: Select "ServiceNow Record Alerts Security Incident [sn_si_incident]"
   • Default Alert Property: Medium
   • Default Signal Mode: (Optional)
   • Additional Recipients: (Optional)
   • ServiceNow API User: Select API user (see pre req)

10. Click Submit to Save

TEST

1. Navigate to Security Incident in the ServiceNow Navigator
2. Create a new Security Incident. Ensure the Priority is either Moderate, High, or Critical and the Assignment Group exsists in xMatters.