integrate-prisma-cloud-with-servicenow.adoc

Integrate Prisma Cloud with ServiceNow

Learn how to integrate Prisma™ Cloud with ServiceNow to help you prioritize and respond to Security incidents on ServiceNow.

Integrate Prisma™ Cloud with ServiceNow and get automatically notified about Prisma Cloud alerts through ServiceNow tickets to prioritize incidents and vulnerabilities that impact your business. Prisma Cloud integrates with the ITSM module (incident table), the Security Incident Response module (sn_si_incident table), and the Event Management modules (em_event table) on ServiceNow to generate alerts in the form of ITSM Incident, Security Incident, and Event tickets. After you enable the integration, when Prisma Cloud scans your cloud resources and detects a policy violation, it generates an alert and pushes it to ServiceNow as a ticket. When you dismiss an alert on Prisma Cloud, Prisma Cloud sends a state change notification to update the ticket status on ServiceNow. This integration seamlessly fits in to the existing workflows for incident management (ITSM), security operations management (Security Incident Response) or event management for your organization.

The Prisma Cloud integration with ServiceNow is qualified with the most recent cloud-based GA versions of ServiceNow; the on-premise versions are not supported.

Note	If you are using a ServiceNow developer instance, make sure that it is not hibernating.

1. Set Up Permissions on ServiceNow

2. Enable the ServiceNow Integration on Prisma Cloud

3. Set up Notification Templates

4. View Alerts

If you see errors, review how to Interpret Error Messages.

Set Up Permissions on ServiceNow

To integrate Prisma Cloud and ServiceNow, you must have the privileges on ServiceNow to configure users, roles, fields on ServiceNow, which then allow you to set up the data mapping for the Notification Templates on Prisma Cloud.

If you do not have the privileges required listed below, you must work with your ServiceNow administrator.

1. Prerequisites for the Prisma Cloud and ServiceNow Integration

   1. You must have permissions to create a local user account on ServiceNow.

      Create a userinput:[Username] and userinput:[password] that are local on the instance itself. A local user account is a requirement because the ServiceNow web services cannot authenticate against an LDAP or SSO Identity provider and it is unlike the authentication flow that ServiceNow supports for typical administrative users who access the service using a web browser.Refer to the ServiceNow documentation for more information.

      

   2. Review the ServiceNow roles required.

      Prisma Cloud has verified that the following roles provide the required permissions. If your implementation has different roles and RBAC mechanisms, work with your ServiceNow administrator.

      New York, Orlando, and Paris

      • tt:[(Optional)] userinput:[personalize] for accessing tables.

        Personalize role is recommended to support type-ahead fields in notification templates for ServiceNow on Prisma Cloud. With this permission, when you enter a minimum of three characters in a type-ahead field, this role enables you to view the list of available options. If you do not enable personalize permissions, you must give table specific read-access permissions for type-ahead inputs.

      • userinput:[evt_mgmt_integration] basic role has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources.

      • userinput:[itil] role is required for the incident table actions.

      • userinput:[sn_si.basic] role is required for the sn_si.incident security incident table actions.

   3. For the user you added earlier, create a custom role with the permissions listed above.

      These permissions are required to create tickets and access the data in the respective ITSM, Events, and Security Incident Response tables and fields on ServiceNow.

      Prisma Cloud needs access to the Plugins (V_plugin), Dictionary (sys_dictionary), and Choice Lists (sys_choices) tables to fetch data from the ServiceNow fields. You can view this information in the ServiceNow notification templates that enable you to customize Prisma Cloud alerts in ServiceNow.

      1. Select "User Administration > Roles" to create a new role and assign it to the local administrative user you created earlier.

      2. Pick a table, such as the Plugins table, and select the menu (“hamburger”) icon next to a table column header to "Configure > Table".

      3. Elevate the role to security_admin to enable modification of the access control list (ACL).

         

      4. Select "Access Controls > New".

      5. Set Operation to Read and assign this permission to the role.

         

      6. Enable permissions for the remaining tables and assign them to the same role.

         Verify that all three tables—Plugins (V_plugin), Dictionary (sys_dictionary), and Choice Lists (sys_choices) have the role and the required permission especially if you have defined field-level ACL rules to restrict access to objects in your ServiceNow implementation.

   4. You must be familiar with the fields and field-types in your ServiceNow implementation to set up the Notification templates on Prisma Cloud. Because this knowledge is essential for setting up the mapping of the Prisma Cloud alert payload to the corresponding fields on ServiceNow, you must work with your ServiceNow administrator to successfully enable this integration.

2. Prerequisites for the Security Incident Module

   The Security Incident Response plugin is optional but is required if you want to generate Security Incident tickets. To create Security Incident tickets, you must also have the Security Incident Response plugin installed on your ServiceNow instance.

   Verify that the Security Incident Response plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.

3. Prerequisites for the Event Management Module

   The Event Management plugin is optional but is required if you want to generate Event tickets on ServiceNow. To create Event tickets, you must have the Event Management subscription and the plugin installed on your ServiceNow instance.

   Verify that the Event Management plugin is activated. To activate a plugin you must be ServiceNow administrator; if you do not see the plugin in the list, verify that you have purchased the subscription.

Enable the ServiceNow Integration on Prisma Cloud

Set up ServiceNow as an external integration on Prisma Cloud.

1. Log in to Prisma Cloud and select "Settings > Integrations > +Add New".

2. Set the Integration Type to ServiceNow.

3. Enter a meaningful Integration Name and a Description.

4. Enter your FQDN for accessing ServiceNow.

   Make sure to provide the FQDN for ServiceNow—not the SSO redirect URL or a URL that enables you to bypass the SSO provider (such as sidedoor or login.do) for local authentication on ServiceNow. For example, enter userinput:[<yourservicenowinstance>.com] and not any of the following:

   https://www.<yourservicenowinstance>.com

   <yourservicenowinstance>.com/

   <yourservicenowinstance>.com/sidedoor.do

   <yourservicenowinstance>.com/login.do

   Note	You cannot modify the FQDN after you save the integration. If you want to change the FQDN for your ServiceNow instance, add a new integration.

5. Enter the Username and Password for the ServiceNow administrative user account.

   The ServiceNow web services use the SOAP API that supports basic authentication, whereby the administrative credentials are checked against the instance itself and not against any LDAP or SSO Identity provider. Therefore, you must create a local administrative user account and enter the credentials for that local user account here instead of the SSO credentials of the administrator. This method is standard for SOAP APIs that pass a basic authentication header with the SOAP request.

6. Select the Service Type for which you want to generate tickets—Incident, Security, and/or Event.

   You must have the plugin installed to create Security incident tickets or Event tickets; make sure to work with your ServiceNow administrator to install and configure the Security Incident Response module or Event Management module. If you select Security only, Prisma Cloud generates all tickets as Security Incident Response (SIR) on ServiceNow.

7. Click Next and then Test.

   If you have omitted any of the permissions listed in Set Up Permissions on ServiceNow, an HTTP 403 error displays.

   

8. Test and Save the integration.

   Continue with setting up the notification template, and then verify the status of the integration on "Settings > Integrations".

Set up Notification Templates

Notification templates allow you to map the Prisma Cloud alert payload to the incident fields (referred to as ServiceNow fields on the Prisma Cloud interface in the screenshot) on your ServiceNow instance. Because the incident, security, and event tables are independent on ServiceNow, to view alerts in the corresponding table, you must set up the notification template for each service type — Incidents, Events or Security Incidents on Prisma Cloud.

1. Log in to Prisma Cloud

2. Select "Alerts > Notification Templates" and Add Notification Template.

3. Select the ServiceNow Notification template from the list.

4. Enter a Template Name and select your Integration.

   Use descriptive names to easily identify the notification templates.

   The total length of the template name can be up to 99 characters and should not include special ASCII characters: (‘<’, ‘>’, ‘!’, ‘=’, ‘\n’, ‘\r’).

5. Set the Service Type to Incident, Security, or Event.

   The options in this drop-down match what you selected when you enabled the ServiceNow integration on Prisma Cloud.

6. Select the alert status for which you want to set up the ServiceNow fields.

   You can choose different fields for the Open, Dismissed, or Resolved states. The fields for the Snoozed state are the same as that for the Dismissed state.

7. Enable the checkbox if you want to create a new ServiceNow incident when the alert state changes from "Resolved > Open" (re-open) states.

   

8. Click Next.

9. Select the ServiceNow Fields that you want to include in the alert.

   Prisma Cloud retrieves the list of fields from your ServiceNow instance dynamically, and it does not store any data. Depending on how your IT administrator has set up your ServiceNow instance, the configurable fields may support a drop-down list, long-text field, or type-ahead. For a type-ahead field, you must enter a minimum of three characters to view a list of available options. When selecting the configurable fields in the notification template, at a minimum, you must include the fields that are defined as mandatory in your ServiceNow implementation.

   In this example, Description is a long-text field, hence you can select and include the Prisma Cloud Alert Payload fields that you want in your ServiceNow Alerts. You must include a value for each field you select to make sure that it is included in the alert notification. See Alert Payload for details on the context you can include in alerts.

   If the text in this field exceeds a certain number of characters (limit may differ based on ServiceNow default field size), you must adjust the maximum length for the fields on your ServiceNow implementation to ensure that the details are not truncated when it’s sent from Prisma Cloud.

   Note

   To generate a ServiceNow Event, Message Key and Severity are required. The Message key determines whether to create a new alert or update an existing one, and you can map the Message Key to Account Name or to Alert ID based on your preference for logging Prisma Cloud alerts as a single alert or multiple alerts on ServiceNow. Severity is required to ensure that the event is created on ServiceNow and can be processed without error; without severity, the event is in an Error state on ServiceNow.

   For Number, use AlertID from the Prisma Cloud alert payload for ease of scanning and readability of incidents on ServiceNow.

   
   

10. Review the Summary status, Test Template, and Save Template.

    

    After you set up the integration and configure the notification template, Prisma Cloud uses this template to send a test alert to your ServiceNow instance. The test workflow creates a ticket that transitions through the different alert states that you have configured in the template. When the communication is successful, a success message displays.

    For an on-demand status check, use the Get Status icon on "Settings > Integrations". These checks help you validate that the ServiceNow instance URL is reachable and that your credentials are valid.

Interpret Error Messages

The following table displays the most common errors when you enable the ServiceNow integration on Prisma Cloud.

What is Wrong?	Error Message that Displays
The ServiceNow URL you entered is incorrect.	You must provide an IP address or an FQDN without the protocol http or https	invalid_snow_base_url
The ServiceNow URL you entered is invalid.	The FQDN is invalid it should be a valid host name or IP address.	invalid_snow_fqdn
The ServiceNow URL you entered is not reachable.	The FQDN provided is either not reachable or is an invalid ServiceNow instance.	snow_network_error
A required field is missing in the ServiceNow configuration.	Missing Required Field - {{param}}	missing_required_param, subject - {{param}}
Your ServiceNow username or password is not valid or is inaccurate.	Invalid Credentials	invalid_credentials
The ServiceNow permissions you have enabled are not adequate.	Required roles or Plugins is/are missing for {{table}}	missing_role_or_plugin, subject - {{table}}
The Notification template for this integration does not have adequate permissions.	Insufficient permission to read the field from {{table}} table	insufficient_permission_to_read, subject - {{table}}
	Error Fetching Suggestions For {{table}}	error_fetching_fields_for, subject - {{table}}
The ServiceNow integration is not successfully configured.	Failed Service Now Test - {{reason}}	failed_service_now_test, subject - {{reason}}

View Alerts

Verify that the integration is working as expected. On the incidents view in ServiceNow, add the Created timestamp in addition to the same columns you enabled in the Prisma Cloud notification template to easily correlate alerts across both administrative consoles.

1. Modify an existing Alert Rule or create a new Alert Rule to send alert notifications to ServiceNow.

2. Login to ServiceNow to view Prisma Cloud alerts.

   When alert states are updated in Prisma Cloud, they are automatically updated in the corresponding ServiceNow tickets.

   1. To view incidents (incident table), select Incidents.

      In ServiceNow, all the Open Prisma Cloud have an incident state of New and all the Resolved or Dismissed alerts have an incident state of Resolved.

      

   2. To view security incidents (sn_si_incident table), select Security Incidents.

      In ServiceNow, all the Open Prisma Cloud alerts have a state of Draft and all the Resolved or Dismissed alerts have a state of Review.

      

   3. To view event incidents (events table), select "Event Management > All Events".