VMware Carbon Black Cloud Apps for ServiceNow


Overview

ServiceNow is a platform that provides workflow automation for a variety of operational and management use cases primarily targeting IT and security teams.

Integrating telemetry and response actions from the Carbon Black Cloud into ServiceNow streamlines security processes by providing built-in endpoint context and response actions within a single pane of glass. With full incident management capabilities and long term record keeping, security teams leveraging the Carbon Black Cloud Apps for ServiceNow can streamline coordination within the SOC during incidents and reduce friction within their team.

Carbon Black Cloud Alerts in ServiceNow

Carbon Black Cloud Alerts in ServiceNow


Features:

  • Automated Ticket Creation and Lifecycle Management.
  • Ingest and manage Carbon Black Cloud alerts within ServiceNow.
  • Automatically ingest CBC alerts and other inputs into ServiceNow.
  • Populate ServiceNow tickets with data from Carbon Black Cloud.
  • Sync updates across both consoles when tasks are changed or completed.

Automate incident response actions within ServiceNow

  • Leverage built-in response actions to orchestrate endpoint remediation from within ServiceNow.
  • Perform core response actions, including quarantine endpoint, ban hash, get processesand kill process, from within ServiceNow.
  • Pivot directly into the CBC console for deeper investigations.

Depending on what features you have with ServiceNow, Carbon Black offers two main Integration apps:

  • ITSM App: When an alert occurs in Carbon Black Cloud, create a ticket in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow IT service management (ITSM) module provides endpoint device context and metadata within tickets to streamline IT workflows and reduce manual data collection.
  • SecOps App: When an alert occurs in Carbon Black Cloud, create an incident in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow SecOps module provides access to additional endpoint response actions, threat intelligence and metadata to contextualize and accelerate security investigations.
  • Both apps have a reliance on the Base App, which is used to integrate Carbon Black Cloud with ServiceNow and integrate relevant endpoint alerts and context directly into ServiceNow ticketing and incident workflows. The Base app is automatically installed when installing the ITSM app or SecOps app.

Requirements

  • Access to Carbon Black Cloud
  • ServiceNow
    • Quebec and Rome are the supported versions.
    • ServiceNow ITSM or ServiceNow SecOps
  • ServiceNow Plugins
    • Domain Support - Domain Extensions Installer

Quick Links

Use Cases

  • Automate alert triage and ticket creation
  • Ticket enrichment with endpoint device context
  • Orchestrate and standardize incident response tasks
  • CMDB Enrichment with Endpoint Device Context

Carbon Black Cloud Alert Ingestion

  • Control which alerts are brought into ServiceNow from Carbon Black Cloud using the Alerts API
  • Customize which alerts create incidents based on incident creation criteria and alert aggregation criteria.
  • Specify field mappings to populate ServiceNow Incidents with Carbon Black Cloud Alert metadata.
  • ServiceNow admins can control which SOAR actions are available for each user group.
  • Bi-directional syncing of alerts between systems, including notes.
  • SOAR Actions, across context, remediation, and orchestration use cases

    Configure Alert ingestion

    Configure Alert ingestion


Multi-tenancy

  • Domain separation to configure ingestion and isolation of Alerts data from multiple Carbon Black Cloud organizations.

Streamlined ServiceNow ITSM Incident Creation and Lifecycle Management

  • Automated and manual ServiceNow ITSM Incident ticket creation based on Carbon Black Cloud Alerts.
  • Customizable field mappings between Carbon Black Cloud Alerts and ServiceNow ITSM Incident tickets.
  • Automated, bi-directional updates between Carbon Black Cloud and ServiceNow for alerts, updates, and dismissal.

SOAR Capabilities

  • Built-in context and remediation actions for Security Orchestration, Automation, and Response (SOAR) workflows.
  • Automated logging and record keeping of incident response actions in ITSM Incident ticket work notes.
  • Control which SOAR actions are available for each user group.
  • Perform the following SOAR actions from an Alert in ServiceNow:
    • Search and Context
      • Search for Process Metadata
      • Search for Enriched Events
      • Search for Running Processes
      • Get Binary Metadata From UBS
      • Get Endpoint Info including OS, sensor version and state and last check in time
    • Remediation
      • Ban and Unban a Process Hash
      • Delete File on Endpoint
      • Quarantine and Unquarantine Endpoint
      • Update Endpoint Policy
      • Kill a Process on an Endpoint
      • Add (or remove) an IOC to Feed
      • Remove IOC from Feed
    • Orchestration
      • Dismiss Alerts

Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Release Notes

New Features
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling

The following features are included:
• Bi-Directional sync
• Domain Separation

The following SOAR Actions are included.
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Bug Fixes
• None

Known Issues
• See Known Issues section of Troubleshooting
New Features
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling

The following features are included:
• Bi-Directional sync
• Domain Separation

The following SOAR Actions are included
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Bug Fixes
• None

Known Issues
• See Known Issues section of Troubleshooting
New Features
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling

The following features are included:
• Bi-Directional sync
• Domain Separation

The following SOAR Actions are included
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Bug Fixes
• None

Known Issues
• See Known Issues section of Troubleshooting
No prior versions; 1.0.0 is the first and current version for ITSM, SecOps and Base apps.

Support and Resources

  • Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
  • Report bugs and change requests to Carbon Black Support.
  • View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Last modified on July 15, 2022