VMware Carbon Black Cloud Apps for ServiceNow
Overview
ServiceNow is a platform that provides workflow automation for a variety of operational and management use cases primarily targeting IT and security teams.
Integrating telemetry and response actions from the Carbon Black Cloud into ServiceNow streamlines security processes
by providing built-in endpoint context and response actions within a single pane of glass. With full incident management
capabilities and long term record keeping, security teams leveraging the Carbon Black Cloud Apps for ServiceNow can
streamline coordination within the SOC during incidents and reduce friction within their team.
Carbon Black Cloud Alerts in ServiceNow
Features:
- Automated Ticket Creation and Lifecycle Management.
- Ingest and manage Carbon Black Cloud alerts within ServiceNow.
- Automatically ingest CBC alerts and other inputs into ServiceNow.
- Populate ServiceNow tickets with data from Carbon Black Cloud.
- Sync updates across both consoles when tasks are changed or completed.
Automate incident response actions within ServiceNow
- Leverage built-in response actions to orchestrate endpoint remediation from within ServiceNow.
- Perform core response actions, including quarantine endpoint, ban hash, get processes and kill process, from within ServiceNow.
- Pivot directly into the CBC console for deeper investigations.
Depending on what features you have with ServiceNow, Carbon Black offers three main Integration apps:
ITSM App
: When an alert occurs in Carbon Black Cloud, create a ticket in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow IT service management (ITSM) module provides endpoint device context and metadata within tickets to streamline IT workflows and reduce manual data collection.SecOps App
: When an alert occurs in Carbon Black Cloud, create an incident in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow SecOps module provides access to additional endpoint response actions, threat intelligence and metadata to contextualize and accelerate security investigations.Vulnerability Response (VR) App
: Periodically ingest Vulnerability information identified by Carbon Black Cloud, and the related Device metadata from Carbon Black Cloud into Service Now. The VR App can be used in addition to the SecOps or ITSM app, or stand alone.- All apps have a reliance on the Base App, which is used to integrate Carbon Black Cloud with ServiceNow and integrate relevant endpoint alerts and context directly into ServiceNow ticketing and incident workflows. The Base app is automatically installed when installing the ITSM app, SecOps app or Vulnerability Response App.
Requirements
- Access to Carbon Black Cloud
- ServiceNow
- SanDiego, Tokyo and Utah are the supported versions.
- ServiceNow ITSM or ServiceNow SecOps if you want to run the ITSM or SecOps apps
- ServiceNow Plugins
- Domain Support - Domain Extensions Installer
- Vulnerability Response
Note: This app has not been reviewed for FedRAMP Compliance for use in the AWS GovCloud (US) environment. Please reach out to Carbon Black Cloud Support for further information.
Quick Links
-
Download from the ServiceNow App Store:
Use Cases
- Automate alert triage and ticket creation
- Ticket enrichment with endpoint device context
- Orchestrate and standardize incident response tasks
- CMDB Enrichment with Endpoint Device Context
- Create Vulnerability items and link them to items in the CMDB
Carbon Black Cloud Alert Ingestion
- Control which alerts are brought into ServiceNow from Carbon Black Cloud using the Alerts API
- Customize which alerts create incidents based on incident creation criteria and alert aggregation criteria.
- Specify field mappings to populate ServiceNow Incidents with Carbon Black Cloud Alert metadata.
- ServiceNow admins can control which SOAR actions are available for each user group.
- Bi-directional syncing of alerts between systems, including notes.
- SOAR Actions, across context, remediation, and orchestration use cases
Configure Alert ingestion
Multi-tenancy
- Domain separation to configure ingestion and isolation of Alerts data from multiple Carbon Black Cloud organizations.
Streamlined ServiceNow ITSM Incident Creation and Lifecycle Management
- Automated and manual ServiceNow ITSM Incident ticket creation based on Carbon Black Cloud Alerts.
- Customizable field mappings between Carbon Black Cloud Alerts and ServiceNow ITSM Incident tickets.
- Automated, bi-directional updates between Carbon Black Cloud and ServiceNow for alerts, updates, and dismissal.
Ingest Vulnerability Information
- Ingest vulnerability information from Carbon Black Cloud
SOAR Capabilities
- Built-in context and remediation actions for Security Orchestration, Automation, and Response (SOAR) workflows.
- Automated logging and record keeping of incident response actions in ITSM Incident ticket work notes.
- Control which SOAR actions are available for each user group.
- Perform the following SOAR actions in ServiceNow:
- Search and Context
- From Alert:
- Search for Process Metadata
- Search for Enriched Events
- Get Binary Metadata From UBS
- Download Binary from UBS
- Search For Process Executions by Hash
- From Alert or Device
- Search for Running Processes
- Get Endpoint Info including OS, sensor version and state and last check in time
- Get File From Endpoint
- From Alert:
- Remediation
- From Alert:
- Ban and Unban a Process Hash
- Add (or remove) an IOC to (from) Feed
- Ignore an IOC
- Approve or Reject Policy Recommendations
- Approve External USB Device
- From Alert or Device
- Delete File on Endpoint
- Quarantine and Unquarantine Endpoint
- Update Endpoint Policy
- Kill a Process on an Endpoint
- Enable and Disable Bypass on an Asset
- Manage Registry Key Information
- Get Directory Information
- Submit Live Query Run
- Execute a Custom Script
- From Vulnerability
- Get Vulnerable Endpoints
- From Alert:
- Orchestration
- From Alert
- Dismiss Alerts
- Add a Note to an Alert
- Dismiss all Future Alerts
- From Alert
- Search and Context
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.
Release Notes - Current Versions
Prior to upgrading the apps we recommend deactivating all Configuration Profiles and verifing that no alerts are being ingested.
If profiles are not deactivated then ServiceNow will automatically stop the alert ingestion during the upgrade and restart once the upgrade is complete Manually stopping ingest is recommended to reduce the likelihood of issues occurring during the upgrade.
- Updated to be compatible with ServiceNow Utah release
Fixes
- The following issue no longer occurs: If Incident Creation Criteria are set and then you give a default value to Alert Aggregation, the condition given to Incident Creation will either vanish (if performed for the first time) or show the previous value as the value is not saved if you refresh the page using the “Apply Defaults” button.
- Updated to be compatible with ServiceNow Utah release
Fixes
- The following issue no longer occurs: If Incident Creation Criteria are set and then you give a default value to Alert Aggregation, the condition given to Incident Creation will either vanish (if performed for the first time) or show the previous value as the value is not saved if you refresh the page using the “Apply Defaults” button.
- Updated to be compatible with ServiceNow Utah release
Release Notes - Earlier Versions
- Alert Ingestion via Data Forwarder
- New SOAR actions
- Search and Context
- From Alert:
- Download Binary from UBS
- Search For Process Executions by Hash
- From Alert or Device
- Get File From Endpoint
- From Alert:
- Remediation
- From Alert:
- Ignore an IOC
- Approve or Reject Policy Recommendations
- Approve External USB Device
- From Alert or Device
- Enable and Disable Bypass on an Asset
- Manage Registry Key Information
- Get Directory Information
- Submit Live Query Run
- Execute a Custom Script
- From Vulnerability
- Get Vulnerable Endpoints
- From Alert:
- Orchestration
- From Alert
- Add a Note to an Alert
- Dismiss all Future Alerts
- From Alert
- Search and Context
- Existing SOAR actions now available from Device, as well as Alert
- Search and Context
- Search for Running Processes
- Get Endpoint Info including OS, sensor version and state and last check in time
- Remediation
- Delete File on Endpoint
- Quarantine and Unquarantine Endpoint
- Update Endpoint Policy
- Kill a Process on an Endpoint
- Search and Context
- Alert Ingestion via Data Forwarder
- New SOAR actions
- Search and Context
- From Alert:
- Download Binary from UBS
- Search For Process Executions by Hash
- From Alert or Device
- Get File From Endpoint
- From Alert:
- Remediation
- From Alert:
- Ignore an IOC
- Approve or Reject Policy Recommendations
- Approve External USB Device
- From Alert or Device
- Enable and Disable Bypass on an Asset
- Manage Registry Key Information
- Get Directory Information
- Submit Live Query Run
- Execute a Custom Script
- From Vulnerability
- Get Vulnerable Endpoints
- From Alert:
- Orchestration
- From Alert
- Add a Note to an Alert
- Dismiss all Future Alerts
- From Alert
- Search and Context
- Existing SOAR actions now available from Device, as well as Alert
- Search and Context
- Search for Running Processes
- Get Endpoint Info including OS, sensor version and state and last check in time
- Remediation
- Delete File on Endpoint
- Quarantine and Unquarantine Endpoint
- Update Endpoint Policy
- Kill a Process on an Endpoint
- Search and Context
Initial release * Ingest Vulnerability information from Carbon Black Cloud
- Alert Ingestion via Data Forwarder
- New SOAR actions
- Search and Context
- From Alert:
- Download Binary from UBS
- Search For Process Executions by Hash
- From Alert or Device
- Get File From Endpoint
- From Alert:
- Remediation
- From Alert:
- Ignore an IOC
- Approve or Reject Policy Recommendations
- Approve External USB Device
- From Alert or Device
- Enable and Disable Bypass on an Asset
- Manage Registry Key Information
- Get Directory Information
- Submit Live Query Run
- Execute a Custom Script
- From Vulnerability
- Get Vulnerable Endpoints
- From Alert:
- Orchestration
- From Alert
- Add a Note to an Alert
- Dismiss all Future Alerts
- From Alert
- Search and Context
- Existing SOAR actions now available from Device, as well as Alert
- Search and Context
- Search for Running Processes
- Get Endpoint Info including OS, sensor version and state and last check in time
- Remediation
- Delete File on Endpoint
- Quarantine and Unquarantine Endpoint
- Update Endpoint Policy
- Kill a Process on an Endpoint
- Search and Context
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling
The following features are included:
• Bi-Directional sync
• Domain Separation
The following SOAR Actions are included.
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.
Bug Fixes
• None
Known Issues
• See Known Issues section of Troubleshooting
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling
The following features are included:
• Bi-Directional sync
• Domain Separation
The following SOAR Actions are included
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.
Bug Fixes
• None
Known Issues
• See Known Issues section of Troubleshooting
V1.0.0 is the initial release. It includes configuration of
• Alert Ingestion via API
• Alert Filtering
• Incident Creation
• Field Mapping
• Scheduling
The following features are included:
• Bi-Directional sync
• Domain Separation
The following SOAR Actions are included
• Get Process Metadata
• Get Enriched Events
• Get Running Processes
• Delete File on Endpoint
• Get Endpoint Information
• Get Binary Metadata (from UBS)
• Kill Process
• Quarantine Endpoint
• Unquarantine Endpoint
• Ban Process Hash
• Unban Process Hash
• Dismiss Alerts
• Update Endpoint Policy
• Add IOC to Feed
• Remove IOC from Feed
Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.
Bug Fixes
• None
Known Issues
• See Known Issues section of Troubleshooting
Support and Resources
- Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
- Report bugs and change requests to Carbon Black Support.
- View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.
Give Feedback
Use this form to give us feedback about this site or any of the documentation.
Last modified on July 24, 2023