VMware Carbon Black Cloud Apps for ServiceNow


Overview

ServiceNow is a platform that provides workflow automation for a variety of operational and management use cases primarily targeting IT and security teams.

Integrating telemetry and response actions from the Carbon Black Cloud into ServiceNow streamlines security processes by providing built-in endpoint context and response actions within a single pane of glass. With full incident management capabilities and long term record keeping, security teams leveraging the Carbon Black Cloud Apps for ServiceNow can streamline coordination within the SOC during incidents and reduce friction within their team.

Carbon Black Cloud Alerts in ServiceNow

Carbon Black Cloud Alerts in ServiceNow


Features:

  • Automated Ticket Creation and Lifecycle Management.
  • Ingest and manage Carbon Black Cloud alerts within ServiceNow.
  • Automatically ingest CBC alerts and other inputs into ServiceNow.
  • Populate ServiceNow tickets with data from Carbon Black Cloud.
  • Sync updates across both consoles when tasks are changed or completed.

Automate incident response actions within ServiceNow

  • Leverage built-in response actions to orchestrate endpoint remediation from within ServiceNow.
  • Perform core response actions, including quarantine endpoint, ban hash, get processes and kill process, from within ServiceNow.
  • Pivot directly into the CBC console for deeper investigations.

Depending on what features you have with ServiceNow, Carbon Black offers three main Integration apps:

  • ITSM App: When an alert occurs in Carbon Black Cloud, create a ticket in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow IT service management (ITSM) module provides endpoint device context and metadata within tickets to streamline IT workflows and reduce manual data collection.
  • SecOps App: When an alert occurs in Carbon Black Cloud, create an incident in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow SecOps module provides access to additional endpoint response actions, threat intelligence and metadata to contextualize and accelerate security investigations.
  • Vulnerability Response (VR) App: Periodically ingest Vulnerability information identified by Carbon Black Cloud, and the related Device metadata from Carbon Black Cloud into Service Now. The VR App can be used in addition to the SecOps or ITSM app, or stand alone.
  • All apps have a reliance on the Base App, which is used to integrate Carbon Black Cloud with ServiceNow and integrate relevant endpoint alerts and context directly into ServiceNow ticketing and incident workflows. The Base app is automatically installed when installing the ITSM app, SecOps app or Vulnerability Response App.

Requirements

  • Access to Carbon Black Cloud
  • ServiceNow
    • Tokyo, Utah and Vancouver are the supported versions.
    • ServiceNow ITSM or ServiceNow SecOps if you want to run the ITSM or SecOps apps
  • ServiceNow Plugins
    • Domain Support - Domain Extensions Installer
    • Vulnerability Response

Note: This app has not been reviewed for FedRAMP Compliance for use in the AWS GovCloud (US) environment. Please reach out to Carbon Black Cloud Support for further information.

Quick Links

Use Cases

  • Automate alert triage and ticket creation
  • Ticket enrichment with endpoint device context
  • Orchestrate and standardize incident response tasks
  • CMDB Enrichment with Endpoint Device Context
  • Create Vulnerability items and link them to items in the CMDB

Carbon Black Cloud Alert Ingestion

  • Control which alerts are brought into ServiceNow from Carbon Black Cloud using the Alerts v7 API
  • Customize which alerts create incidents based on incident creation criteria and alert aggregation criteria.
  • Specify field mappings to populate ServiceNow Incidents with Carbon Black Cloud Alert metadata.
  • ServiceNow admins can control which SOAR actions are available for each user group.
  • Bi-directional syncing of alerts between systems, including notes.
  • SOAR Actions, across context, remediation, and orchestration use cases

    Configure Alert ingestion

    Configure Alert ingestion


Multi-tenancy

  • Domain separation to configure ingestion and isolation of Alerts data from multiple Carbon Black Cloud organizations.

Streamlined ServiceNow ITSM Incident Creation and Lifecycle Management

  • Automated and manual ServiceNow ITSM Incident ticket creation based on Carbon Black Cloud Alerts.
  • Customizable field mappings between Carbon Black Cloud Alerts and ServiceNow ITSM Incident tickets.
  • Automated, bi-directional updates between Carbon Black Cloud and ServiceNow for alerts, updates, and closure.

Ingest Vulnerability Information

  • Ingest vulnerability information from Carbon Black Cloud

SOAR Capabilities

  • Built-in context and remediation actions for Security Orchestration, Automation, and Response (SOAR) workflows.
  • Automated logging and record keeping of incident response actions in ITSM Incident ticket work notes.
  • Control which SOAR actions are available for each user group.
  • Perform the following SOAR actions in ServiceNow:
    • Search and Context
      • From Alert:
        • Search for Process Metadata
        • Search for Enriched Events
        • Get Binary Metadata From UBS
        • Download Binary from UBS
        • Search For Process Executions by Hash
      • From Alert or Device
        • Search for Running Processes
        • Get Endpoint Info including OS, sensor version and state and last check in time
        • Get File From Endpoint
    • Remediation
      • From Alert:
        • Ban and Unban a Process Hash
        • Add (or remove) an IOC to (from) Feed
        • Ignore an IOC
        • Approve or Reject Policy Recommendations
        • Approve External USB Device
      • From Alert or Device
        • Delete File on Endpoint
        • Quarantine and Unquarantine Endpoint
        • Update Endpoint Policy
        • Kill a Process on an Endpoint
        • Enable and Disable Bypass on an Asset
        • Manage Registry Key Information
        • Get Directory Information
        • Submit Live Query Run
        • Execute a Custom Script
      • From Vulnerability
        • Get Vulnerable Endpoints
    • Orchestration
      • From Alert
        • Close Alerts
        • Add a Note to an Alert
        • Close all Future Alerts

Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Release Notes - Current Versions

Version 3.0.0 of the ServiceNow App updates to the Alert Forwarder Schema v2.0.

If you are ingesting Alerts using the Data Forwarder and AWS S3 option then the Carbon Black Cloud Data Forwarder Configuration must be updated to the Alert Forwarder Schema v2.0.

ServiceNow will not ingest the Forwarder Alert Schema 1.0 successfully.

Follow these steps:

  1. Go to Carbon Black Cloud > Settings > Data Forwarders
  2. Find the data forwarder used by ServiceNow
  3. Click the pencil to edit the forwarder
  4. Change the schema selection to 2.0.0 and save the forwarder
  5. Upgrade the ServiceNow app
  6. Verify alerts are being ingested correctly

Prior to upgrading the apps we recommend deactivating all Configuration Profiles and verifying that no alerts are being ingested.

If profiles are not deactivated then ServiceNow will automatically stop the alert ingestion during the upgrade and restart once the upgrade is complete Manually stopping ingest is recommended to reduce the likelihood of issues occurring during the upgrade.

Breaking changes:

  • Data Forwarder Alert v2.0.0 schema
    • If you are ingesting Alerts using the Data Forwarder and AWS S3 option then the Carbon Black Cloud Data Forwarder Configuration must be updated to the Alert Forwarder Schema v2.0. See steps above

Other new features and updates:

  • Updated to use the Alerts v7 API
  • New dashboards that show metrics about Carbon Black Cloud Alerts, ITSM Security Incidents and Assets
  • Updated to be compatible with ServiceNow Vancouver release
  • Dismiss Alerts is now Close Alerts
  • New User Roles to limit access to SOAR actions

Breaking changes:

  • Data Forwarder Alert v2.0.0 schema
    • If you are ingesting Alerts using the Data Forwarder and AWS S3 option then the Carbon Black Cloud Data Forwarder Configuration must be updated to the Alert Forwarder Schema v2.0. See steps above

Other new features and updates:

  • Updated to use the Alerts v7 API
  • New dashboards that show metrics about Carbon Black Cloud Alerts, ITSM Security Incidents and Assets
  • Updated to be compatible with ServiceNow Vancouver release
  • Dismiss Alerts is now Close Alerts
  • New User Roles to limit access to SOAR actions
  • Updated to be compatible with ServiceNow Vancouver release
  • New dashboards that show metrics about vulnerabilities

Breaking changes:

  • Data Forwarder Alert v2.0.0 schema
    • If you are ingesting Alerts using the Data Forwarder and AWS S3 option then the Carbon Black Cloud Data Forwarder Configuration must be updated to the Alert Forwarder Schema v2.0. See steps above

Other new features and updates:

  • Updated to use the Alerts v7 API
  • New dashboards that show metrics about Carbon Black Cloud Alerts and Assets
  • Updated to be compatible with ServiceNow Vancouver release
  • Dismiss Alerts is now Close Alerts

Release Notes - Earlier Versions

  • Updated to be compatible with ServiceNow Utah release

Fixes

  • The following issue no longer occurs: If Incident Creation Criteria are set and then you give a default value to Alert Aggregation, the condition given to Incident Creation will either vanish (if performed for the first time) or show the previous value as the value is not saved if you refresh the page using the “Apply Defaults” button.
  • Updated to be compatible with ServiceNow Utah release

Fixes

  • The following issue no longer occurs: If Incident Creation Criteria are set and then you give a default value to Alert Aggregation, the condition given to Incident Creation will either vanish (if performed for the first time) or show the previous value as the value is not saved if you refresh the page using the “Apply Defaults” button.
  • Updated to be compatible with ServiceNow Utah release
* Updated to be compatible with ServiceNow Utah release
  • Alert Ingestion via Data Forwarder
  • New SOAR actions
    • Search and Context
      • From Alert:
        • Download Binary from UBS
        • Search For Process Executions by Hash
      • From Alert or Device
        • Get File From Endpoint
    • Remediation
      • From Alert:
        • Ignore an IOC
        • Approve or Reject Policy Recommendations
        • Approve External USB Device
      • From Alert or Device
        • Enable and Disable Bypass on an Asset
        • Manage Registry Key Information
        • Get Directory Information
        • Submit Live Query Run
        • Execute a Custom Script
      • From Vulnerability
        • Get Vulnerable Endpoints
    • Orchestration
      • From Alert
        • Add a Note to an Alert
        • Dismiss all Future Alerts
  • Existing SOAR actions now available from Device, as well as Alert
    • Search and Context
      • Search for Running Processes
      • Get Endpoint Info including OS, sensor version and state and last check in time
    • Remediation
      • Delete File on Endpoint
      • Quarantine and Unquarantine Endpoint
      • Update Endpoint Policy
      • Kill a Process on an Endpoint
  • Alert Ingestion via Data Forwarder
  • New SOAR actions
    • Search and Context
      • From Alert:
        • Download Binary from UBS
        • Search For Process Executions by Hash
      • From Alert or Device
        • Get File From Endpoint
    • Remediation
      • From Alert:
        • Ignore an IOC
        • Approve or Reject Policy Recommendations
        • Approve External USB Device
      • From Alert or Device
        • Enable and Disable Bypass on an Asset
        • Manage Registry Key Information
        • Get Directory Information
        • Submit Live Query Run
        • Execute a Custom Script
      • From Vulnerability
        • Get Vulnerable Endpoints
    • Orchestration
      • From Alert
        • Add a Note to an Alert
        • Dismiss all Future Alerts
  • Existing SOAR actions now available from Device, as well as Alert
    • Search and Context
      • Search for Running Processes
      • Get Endpoint Info including OS, sensor version and state and last check in time
    • Remediation
      • Delete File on Endpoint
      • Quarantine and Unquarantine Endpoint
      • Update Endpoint Policy
      • Kill a Process on an Endpoint

Initial release * Ingest Vulnerability information from Carbon Black Cloud

  • Alert Ingestion via Data Forwarder
  • New SOAR actions
    • Search and Context
      • From Alert:
        • Download Binary from UBS
        • Search For Process Executions by Hash
      • From Alert or Device
        • Get File From Endpoint
    • Remediation
      • From Alert:
        • Ignore an IOC
        • Approve or Reject Policy Recommendations
        • Approve External USB Device
      • From Alert or Device
        • Enable and Disable Bypass on an Asset
        • Manage Registry Key Information
        • Get Directory Information
        • Submit Live Query Run
        • Execute a Custom Script
      • From Vulnerability
        • Get Vulnerable Endpoints
    • Orchestration
      • From Alert
        • Add a Note to an Alert
        • Dismiss all Future Alerts
  • Existing SOAR actions now available from Device, as well as Alert
    • Search and Context
      • Search for Running Processes
      • Get Endpoint Info including OS, sensor version and state and last check in time
    • Remediation
      • Delete File on Endpoint
      • Quarantine and Unquarantine Endpoint
      • Update Endpoint Policy
      • Kill a Process on an Endpoint
New Features
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling

The following features are included:
• Bi-Directional sync
• Domain Separation

The following SOAR Actions are included.
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Bug Fixes
• None

Known Issues
• See Known Issues section of Troubleshooting
New Features
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling

The following features are included:
• Bi-Directional sync
• Domain Separation

The following SOAR Actions are included
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Bug Fixes
• None

Known Issues
• See Known Issues section of Troubleshooting
New Features
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling

The following features are included:
• Bi-Directional sync
• Domain Separation

The following SOAR Actions are included
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Bug Fixes
• None

Known Issues
• See Known Issues section of Troubleshooting

Support and Resources

  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
  • Report bugs and change requests to Carbon Black Support.
  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.

Give Feedback

New survey coming soon!


Last modified on February 28, 2024