Apps for ServiceNow - Installation and Configuration Guide

Overview

To integrate Carbon Black Cloud and ServiceNow, there are three apps available for different use cases.

To manage security incidents, there is a SecOps App and an ITSM App; these have the same functionality and the choice is determined by whether you have the SecOps or ITSM ServiceNow module.
To manage vulnerabilities identified by Carbon Black Cloud, the Vulnerability Response (VR) app canl ingest vulnerabilities from Carbon Black Cloud into ServiceNow. It can be used alone or in combination with one of the other apps.

All of these apps will install the necessary prerequisites including the VMware Carbon Black Cloud Base Connector App for ServiceNow. This takes care of the connectivity between ServiceNow and Carbon Black Cloud to collect alerts from Carbon Black Cloud and store them in the Alerts table in ServiceNow, populate the ServiceNow CMDB with Carbon Black Cloud Device information and enable actions to be initiated in ServiceNow and execute in Carbon Black Cloud.

Getting Started

The configuration guide describes:

Prerequisites - decisions to be made prior to installation
Installation - install the Apps from the ServiceNow App Store
Configuration of API Access in Carbon Black Cloud
Configuration of Role and Users in ServiceNow
Configuration of the Apps - create a profile to ingest data to ServiceNow
Troublshooting and Known Issues - updates to the apps
Release Notes - updates to the apps

Prerequisites

Access to Carbon Black Cloud
Access to ServiceNow
- SanDiego, Tokyo and Vancouver are the supported versions.
- ServiceNow ITSM or ServiceNow SecOps
Determine whether you will use the ITSM or SecOps app; this will align to the ServiceNow module you are licensed for.
Determine whether you will get alerts from Carbon Black Cloud using the Alerts REST API or from an AWS S3 Bucket using the Carbon Black Cloud Data Forwarder.
- The REST API is easier to set up, requiring only API credentials to be entered into ServiceNow. ServiceNow will then poll Carbon Black Cloud for new Alerts.
- The Data Forwarder is recommended when you have a high volume or significant bursts of data as it provides improved scalability for large volumes of data. It requires
  - A Data Forwarder to be configured in Carbon Black Cloud which will write to an AWS S3 Bucket owned by you; and
  - A ServiceNow MID server to ingest the data.
If you are ingesting Assets (Devices) from Carbon Black Cloud to the ServiceNow CMDB, install the IntegrationHub ETL .

To install this plugin:
1. Log in to your ServiceNow instance with your user credentials.
2. Verify you have the system administrator (admin) role.
3. Navigate to System Definition > Plugins in your instance.
4. Search for and install the IntegrationHub ETL plugin.
If you are using the SecOps module, then install and configure the Security Incident Response plugin.

The SecOps App requires the following plugins:
• Security Incident Response

To install these plugins:
1. Log in to your instance with your user credentials.
2. Verify you have the system administrator (admin) role.
3. Navigate to System Definition > Plugins in your instance.
4. Search for and install each plugin.
If you are using the SecOps module, or if you are using the ITSM module and want to use SOAR actions that store files, then install the Threat Intelligence plugin.

Install the Threat Intelligence plugin to:
• use the MITRE features in the SecOps module.
• use "Download Binary from UBS" or "Get File on Asset" SOAR actions.

1. Prerequisite: Threat Intelligence plugin has been installed - see earlier step
2. Navigate to TAXII profile
3. Click on MITRE ATT&CK®

4. Click on "Enterprise ATT&CK" in MITRE ATT&CK®’s TAXII Collections table

5. Click on Integration Runs.
6. Select the Number of Integration Runs you want to execute. If Integration Run is empty then click on New to Create a New Integration Run and then click on Process.
7. Click on Execute Now.

8. Wait until the state changes to "complete".
Decide whether to use the Vulnerability Response Application

To use the VMware Carbon Black Cloud Vulnerability Response App, the ServiceNow Vulnerability Response plugin is required.

• Log in to your instance with your user credentials.
• Verify you have the system administrator (admin) role.
• Navigate to System Definition > Plugins in your instance.
• Search and install the plugin, developed by ServiceNow.
Activate Extensions

The Domain Support - Domain Extensions Installer ServiceNow plugin must be activated to enable multitenancy support.

To activate the plugin:
1. Sign in to your instance email account at https://support.servicenow.com.
2. From My Instance, under Instance Action, select Activate Plugin.

3. Search for plugin "Domain Separation Center" and click Activate > Activate plugin.

4. When you click on "Activate plugin", a request is sent for plugin activation. Once the Plugin is activated, you will receive a notification email.

5. To fetch Vulnerabilities or Vulnerable Items with domain separation the user has to complete script changes as specified in the ServiceNow documentation Create domain-separated imports for a Vulnerability Response or Application Vulnerability Response Integration.

6. Now that the plugin is activated on the instance, you can install the application.

Optional: Set up the Data Forwarder and MID server

Setting up the Data Forwarder and Mid Server described in this section is only needed if you choose to use the Data Forwarder and AWS S3 Bucket option above. Data collection through REST API does not require these steps.

If you are ingesting Alerts using the Data Forwarder and AWS S3 option then the Carbon Black Cloud Data Forwarder Configuration must be updated to the Alert Forwarder Schema v2.0.

ServiceNow will not ingest the Forwarder Alert Schema 1.0 successfully.

Follow these steps to update an existing forwarder:

Go to Carbon Black Cloud > Settings > Data Forwarders
Find the data forwarder used by ServiceNow
Click the pencil to edit the forwarder
Change the schema selection to 2.0.0 and save the forwarder
Upgrade the ServiceNow app
Verify alerts are being ingested correctly

Full details about the Carbon Black Cloud Data Forwarder and options to configure it are in the
Carbon Black Cloud User Guide. The steps included here are a summary with the essential options.

Configure an AWS S3 Bucket

The Carbon Black Cloud Data Forwarder is configured through the Carbon Black Console to write Alerts to an AWS S3 bucket owned by you. The first step is to create the bucket with the necessary policy.

1. Create an AWS S3 Bucket.
2. Configure the bucket policy to receive data from Carbon Black Cloud.

Configure an AWS SQS Queue

1. Create an SQS queue in your AWS Management Console.
2. Configure the Access policy. Replace the tokens with your own values.

    {
        "Version": "2008-10-17",
        "Id": "__default_policy_ID",
        "Statement": [
            {
                "Sid": "__sender_statement",
                "Effect": "Allow",
                "Principal": {
                    "Service": "s3.amazonaws.com"
                },
                "Action": "SQS:SendMessage",
                "Resource": "arn:aws:sqs:<aws-region>:<AWS Account Number>:<name-of-queue>",
                "Condition": {
                    "ForAllValues:ArnEquals": {
                        "aws:SourceArn": "arn:aws:s3:::<name-of-s3-bucket>"
                    }
                }
            }
        ]
    }

3. Configure the Event Notification in the AWS S3 bucket to use this queue. Navigate to Properties > Event Notifications and set the Destination SQS queue to the arn of the new queue.

Note: If you need to reload older events and are using SQS to pull buckets, the events will not be available in the queue once they are retrieved. To view historical events or reload data, copy the events to another prefix to copy it to the queue.

Configure an Alert Forwarder with Schema v2.0.0

To ingest data using the Carbon Black Cloud Data Forwarder an Alert Forwarder using Alert Schema v2.0.0 must be configured.

Note: If you were using the Data Forwarder with version 2.x of the ServiceNow apps, the Data Forwarder must be updated to Alert Schema 2.0.0 per upgrade steps above.

Log in to Carbon Black Cloud and perform the following actions:
1. Go to Settings > Data Forwarders
2. Click “Add Forwarder”
3. Enter a descriptive name, e.g. “ServiceNow Alert Forwarder”
4. Select the type “Alert”
5. Select Schema Updates “Pinned”. This will ensure ongoing compatibility between the Data Forwarder Schema and ServiceNow Apps.
6. Select Schema Version/constraint “2.0.0”
7. Select Provider AWS S3.
Note: Azure Blob Storage is not supported with ServiceNow Apps.
8. Enter the S3 Bucket Name and S3 Prefix
Note: The AWS S3 bucket must be in the same region as your Carbon Black Cloud. See the [Data Forwarder Setup](/reference/carbon-black-cloud/integrations/data-forwarder/quick-setup/).
9. Set Forwarder Status “On”.

10. Click Save

Configure a MID server

1. Install and configure the mid server following the steps in the MID Server Installation Guide in the ServiceNow Store.

Install the Apps

There are three apps available:

If you want incidents to be created from Alerts then choose either ITSM App or the SecOps App. The one you install will depend on whether you have the ITSM or SecOps module in ServiceNow.
If you want vulnerability information from Carbon Black Cloud then install the Vulnerability Response app. This can be used alone or in combination with the ITSM or SecOps Apps.

Ensure your role includes installation permissions

Installation requires either:

ServiceNow System Administrator Role which includes permissions for the following actions:

Installation of the integration application plugins
Mid_server to configure data ingest from an AWS S3 bucket
Read, write and delete any record
Execute all the SOAR actions
View Application Logs
Access Support Contact
Uninstall Application.

Or the VMware CBC Admin (x_vmw_cb_connector.admin) role

This will only be available if it has been configured during a previous installation of a Carbon Black Cloud app.

Download and install the required apps

1. Download the VMware Carbon Black Cloud ITSM or Secops app from the ServiceNow App store for the ServiceNow instance and enter your user credentials. The app you should download is determined by the ServiceNow module you are using.
• VMware Carbon Black Cloud for IT Service Management
• VMware Carbon Black Cloud for Security Operations
• VMware Carbon Black Cloud for Vulnerability Response

3. Log in to the ServiceNow instance on which you want to install the application.
4. Navigate to System Applications > All Available Applications > All

5. Click the Not Installed tab. A list of applications available for installation will be displayed.
6. Locate the VMware Carbon Black Cloud ITSM, SecOps or Vulnerability Response app, select it, and click Install.
7. The application will be installed on your instance.

If you will use the Vulnerability Response App then create a VR Integration Instance

An Integration Instance is required for fetching Vulnerabilities from Carbon Black Cloud and creating Vulnerable Item entries in the ServiceNow VR module.

Note: One Integration Instance is provided out-of-the box. If data is only being ingested from a single Carbon Black Cloud Organization, this step can be skipped.

The default integration instance is named “VMware Carbon Black Cloud VR Integration”. This can be used for the first Configuration Profile. Every subsequent Configuration Profile will require its own dedicated Integration instance. This is most commonly required when multitenancy features are required for ingesting data from multiple Carbon Black Cloud organizations.

1. Login to the ServiceNow instance.
2. Navigate to VMware Carbon Black Cloud > Integration Instances.
3. One default integration instance named "VMWare CBC VR Integration" will be available.
4. New Integration Instances can be created by clicking on the "New" button.

5. Enter the name of the Integration Instance and click on the "Submit" button. Integration Instance will be created and Integration will be created automatically.

6. Users can view the created Integration by clicking on VMware Carbon Black Cloud -> Integration.

This will be used when configuring the profile.

Configure the scope for the base app

The ITSM and SecOps Apps use a common base app to manage connectivity to Carbon Black Cloud. Configure the scope for this common app.

1. Click on "Settings".

2. Click on "Developer" under System Settings on the left

3. Select "VMware Carbon Black Cloud" in the Application picker.
4. Enable "Show application picker in header".

4. Click on X (Cross) to close the popup.

Configure API Access

ServiceNow requires an API key with the appropriate permissions to make the API calls. Create the key in Carbon Black Cloud.

1. Get Org Key

Get your Org Key from Carbon Black Cloud on the General > Settings page.

2. Get your Carbon Black Cloud Hostname

Get the Carbon Black Cloud Hostname from the Authentication Page or the URL when you are logged in to the Carbon Black Cloud console.

For example, https://dashboard.confer.net

3. Determine permissions for the actions you want to enable in the ITSM App or SecOps App

The ITSM and SecOps Apps support the same actions.

Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

ServiceNow Action	Notation Name	Permissions
Configuration Profile - Create/Update/Delete	org.alerts	READ
Configuration Profile - Asset Inventory Ingest	device	READ
Alert Filtering - Create/Update/Delete	org.alerts	READ
Incident Creation - Create/Update/Delete	org.alerts	READ
Field Mapping - Create/Update/Delete	org.alerts	READ
Scheduling - Create/Update/Delete	org.alerts	READ
Alert Ingestion - Update	org.alerts	READ
Bi Directional Sync	org.alerts	READ
Close Incident and alert Closure	org.alerts.close	EXECUTE
Close Alert Manually	org.alerts.close	EXECUTE
Ban / Unban process hash	org.reputations	CREATE
Get File from Asset	device, org.liveresponse.session ; org.liveresponse.file	device: READ ; org.liveresponse.session: CREATE, READ, DELETE ; org.liveresponse.file: READ
Put File on Asset	device, org.liveresponse.session ; org.liveresponse.file	device: READ ; org.liveresponse.session: CREATE, READ, DELETE ; org.liveresponse.file: CREATE, READ
Delete File from Endpoint	org.liveresponse.session ; org.liveresponse.file	org.liveresponse.session: CREATE, READ, DELETE ; org.liveresponse.file: READ, DELETE
Close Alerts	org.alerts.close	EXECUTE
Get Process Metadata	org.search.events	CREATE, READ
Get Binary Metadata from UBS	ubs.org.sha256	READ
Get Endpoint (Asset) Information	device	READ
Get Enriched Events	org.search.events	CREATE, READ
Get Running Processes	org.liveresponse.session ; org.liveresponse.process	org.liveresponse.session: CREATE, READ, DELETE ; org.liveresponse.process: READ
Update Endpoint (Asset) Policy	device.policy	UPDATE
Quarantine / Unquarantine Endpoint	device.quarantine	EXECUTE
Kill process on an endpoint	org.liveresponse.session ; org.liveresponse.process	org.liveresponse.session: CREATE, READ, DELETE ; org.liveresponse.process: READ, DELETE
Add or remove an IoC to or from a Feed	org.feeds	CREATE, UPDATE
Download Binary from UBS	ubs.org.file	READ
Enable/Disable Asset Bypass	device.bypass	EXECUTE
Get Process Executions by Hash	org.search.events	READ, CREATE
Ignore an IOC	org.watchlists	UPDATE
Add a note to an Alert	org.alerts.notes	CREATE
Get Directory Information	device ; org.liveresponse.session ; org.liveresponse.file	device READ ; org.liveresponse.session CREATE, READ, UPDATE, DELETE ; org.liveresponse.file READ
Get Registry Key Information On Asset	device ; org.liveresponse.session	org.liveresponse.registry: READ ; device READ ; org.liveresponse.session: CREATE, READ, UPDATE, DELETE ; org.liveresponse.registry: READ
Manage Registry Key Information	device ; org.liveresponse.session ; org.liveresponse.registry	device: READ ; org.liveresponse.session: CREATE, READ, UPDATE, DELETE ; org.liveresponse.registry: CREATE, READ, UPDATE, DELETE
Get External Device Information	external-device.manage	READ
Close Future Alerts	org.alerts.close	EXECUTE
Submit Live Query Run	livequery.manage	CREATE, READ
Approve an external USB device	external-device.manage	CREATE
Get/Approve/Reject Alert Recommendation	org.recommendations	CREATE, READ, DELETE
Execute a Custom Script on the Endpoint	device ; org.liveresponse.session ; org.liveresponse.process	device: READ ; org.liveresponse.session: CREATE, READ, UPDATE, DELETE ; org.liveresponse.process: EXECUTE

4. Determine permissions for the actions you want to enable in the Vulnerability Response App

The Vulnerability Response App Requires the following permissions for data ingest:

ServiceNow Action	Notation Name	Permissions
Configuration Profile - Create/Update/Delete	vulnerabilityAssessment.data	READ
Configuration Profile - Asset Inventory Ingest	device	READ
Ingest Vulnerability Data	vulnerabilityAssessment.data	READ
Ingest Device Data	device	READ

5a. Option 1: Create API Key Using Carbon Black Cloud for Authentication

In Carbon Black Cloud:

Create a custom access level with the required permissions from the previous table.
Create an API Key of type Custom and assign the Access Level created in the previous step.

See Authentication for details about API Keys in Carbon Black Cloud.

5b. Option 2: Create OAuth App Using VMware Cloud Services Platform (CSP) for Authentication

In VMware Cloud Services Platform:

Create a custom role with the required permissions from the previous table.
Create an OAuth App and assign the custom role created in the previous step.

See Authentication for details about API Keys in Carbon Black Cloud.

Configure Roles and Users

There are two application specific roles to be configured in ServiceNow; one with the privileges to administer the apps and one for analysts.

After these roles have been configured, grant them to users.

Built in System Administrator Role

The built in Service Now System Administrator role grants users with that role the permissions to:
- Install the integration application plugins
- Configure Data Collection using the Data Forwarder with AWS S3 Bucket
- Read, write and delete any record
- Create Users
- Can execute all SOAR actions
- View Application Logs
- Access Support Contact
- Uninstall the Application

Configure ITSM roles

The included roles need permissions added to them.
1. Navigate to the Roles Page in the ServiceNow search menu on the left.
2. Find and open the role `x_vmw_cb_connector.admin`.

3. Scroll down and click on the "Edit" button. If the “Edit” button is not visible then add the scope of the application.

4. Search for the roles to be added. For each role select the role and move it to `Contains Roles List` by either double-clicking on the role or clicking on the right arrow.

To VMware CBC Admin (x_vmw_cb_connector.admin) add the roles:
• itil
• itil_admin
• mid_server - for selecting the mid server to ingest data from the AWS S3 Bucket. Only required if configuring the Data Forwarder.
• flow_operator
• workflow_admin
• n_ti.malicious_attachment_access (to download and view secured attachments)
• sn_ti.observable.write (to view and edit observable records)

Which will grant users with that role the permissions to
• Install the integration application plugins
• Create Users
• Configure the application for REST API approach or Data Forwarder with AWS S3 Bucket approach
• View Application Logs
• Manually create an Incident from Alerts
• Configure automatic creation of an Incident from Alerts
• Manually Close an Alert
• Close Incidents
• Perform SOAR actions
• Bi Directional Sync of Alerts in ServiceNow and Carbon Black Cloud
• Access Support Contact.

5. Repeat steps two to four to add the following roles to VMware CBC Analysts (x_vmw_cb_connector.analyst1, x_vmw_cb_connector.analyst2, x_vmw_cb_connector.analyst3):
• itil
• itil_admin
• export_set_scheduler
• flow_operator
• n_ti.malicious_attachment_access (to download and view secured attachments)
• sn_ti.observable.write (to view and edit observable records)

Which will grant users with that role the permissions to
• Access the Application
• Manually create an Incident from Alerts
• Manually close an Alert
• Close Incidents
• Perform SOAR actions
• Bi Directional Sync of Alerts in ServiceNow and Carbon Black Cloud
• Access Support Contact.

6. Repeat steps two to four to add the following roles to VMware CBC View All (x_vmw_cb_connector.view_all):
• sn_incident_read {{br>}} Which will grant users with that role the permissions to read all the records but cannot write or delete records.

Configure SecOps roles

Images for each step are included in the ITSM roles configuration above.
1. Navigate to the Roles Page in the ServiceNow search menu on the left.

2. Edit the following bundled roles, by searching for the bundled roles and then selecting Contains Role > Edit

3. To VMware CBC Admin (x_vmw_cb_connector.admin) add the roles:
• sn_si_admin
• export_set_scheduler
• mid_server (to configure Data Forwarder Alert ingest)
• sn_ti.malicious_attachment_access (to download and view secured attachment)
• sn_ti.observable.write (to view and edit observable records)

Which will grant users with that role the permissions to
• Install the integration application plugins
• Create Users
• Configure the application for REST API approach or Data Forwarder with AWS S3 Bucket approach
• View Application Logs
• Manually create a Security Incident from Alerts
• Configure automatic creation of an Incident from Alerts
• Manually close an Alert
• Close Incidents
• Perform SOAR action on Alerts
• Apply MITRE Classification
• Access Support Contact.

4. To VMware CBC Analysts Roles (x_vmw_cb_connector.level_1_analyst, x_vmw_cb_connector.level_2_analyst, x_vmw_cb_connector.level_3_analyst) add the roles:
• sn_si_analyst
• export_set_scheduler
• sn_ti.malicious_attachment_access (to download and view secured attachment)
• sn_ti.observable.write (to view and edit observable records)

Which will grant users with that role the permissions to
• Access the Application
• Manually create an Incident from Alerts
• Manually close an Alert
• Close Incidents
• Perform some SOAR actions on Alerts
• Apply MITRE Classification
• Access Support Contact.

4. To VMware CBC View All (x_vmw_cb_connector.view_all) add the roles:
• sn_si_read
• sn_incident_read (to view cmdb data)

Which will grant users with that role the permissions to read all the records but cannot write or delete records.

Configure Vulnerability Response roles

Vulnerability Admin - sn_vul.vulnerability_admin

Note: sn_vul.vulnerability_admin contains x_vmw_cb_connector.admin role.

Images for each step are included in the ITSM roles configuration above.

1. Navigate to the Roles Page in the ServiceNow search menu on the left.

2. Edit the following bundled roles, by searching for the bundled roles and then selecting Contains Role > Edit

3. To VMware CBC Admin (x_vmw_cb_connector.admin) add the roles:
• sn_vul.vulnerability_admin

Which will grant users with that role the permissions to
• Can read, write, update and delete any record in the Configuration Profiles.
• Can read, write, update and delete any record in the Vulnerability Profiles.
• Can read, write, update and delete any record in the Integration Instances.
• Can read, write, update and delete any record in the Vulnerable Item
• View Application Logs
• Access Support Contact.

4. To VMware CBC Analysts (x_vmw_cb_connector.analyst1, x_vmw_cb_connector.analyst2, x_vmw_cb_connector.analyst3) add the roles:
• sn_vul.read_all

Which will grant users with that role the permissions to
• Can read the records of Configurations
• Can read the records of Vulnerable Item

• Access Support Contact.

Create Users

Add or modify users to assign the Analyst or Admin role as required.
User management requires the System Administrator role.

To create a User:
1. Navigate to Organization > Users.
2. Click the Users module.

3. Above the User ID list, click on the "New" button. A new User form displays.

4. Fill in the form.
• User ID - Unique User ID for the role in the current ServiceNow Platform instance.
• First Name - First Name of the user being created
• Last Name - Last Name of the user being created
• Title - Job Title, for example, Security User
• Password - Unique password created for this user
• Email - Unique email address
5. Click "Submit." Now the user has been created. See the next section to assign roles.

Assign roles to users

1. Click the name of the user you want to assign new roles to.

2. Once the record is open, scroll down and go to the Roles tab, and click "Edit".

3. When the Edit Members form displays, select the required roles from the Collection and move it to the Roles list.

• Assign x_vmw_cb_connector.admin for Administrators of the Carbon Black Cloud app. Users with this role can configure the applications as well as do everything an analyst can.

• Assign x_vmw_cb_connector.analyst1, x_vmw_cb_connector.analyst2 or x_vmw_cb_connector.analyst3 for other users of the Carbon Black Cloud app. Users with these roles can create tickets and perform actions in the integration, and are limited to viewing configuration.

4. Click save

Configure a Profile

A profile is required to control the rules for ingestion of data and incident creation.

To configure a new profile the role VMware CBC admin is required.

1. Start a new Configuration Profile

Create a new Configuration Profile. This will start a wizard that will walk you through configuring the ServiceNow App. Differences between the ITSM App, SecOps App and Vulnerability Response App are few and clearly identified.
1. Login to the ServiceNow instance
2. Navigate to VMware Carbon Black Cloud > Configurations.

3. Click on the "New" button to create a Configuration Profile.

4. Enter a unique "Name", "Order", and "Description" in the Overview section.
• Multiple values in the order field of profile configuration can be added using space between each integer.

5. Select the apps that you want to configure.
• Vulnerability Response (Carbon Black Cloud VR) can be used alone or with the ITSM or SecOps App.
• Only one of "Carbon Black Cloud ITSM" or "Carbon Black Cloud SecOps" can be selected.

2. Enter Carbon Black Cloud Credentials

Carbon Black Cloud credentials are required for data ingest using the REST APIs and for SOAR actions.

Enter the following information in the Credentials section:
• Carbon Black Cloud URL (this is the Hostname, for example https://defense.conferdeploy.net)
• Org Key
• API ID
• API Secret Key
These are the values obtained from Carbon Black Cloud in the earlier Configure API Access in Carbon Black Cloud section.

• If you are using an OAuth App, enter the App Id in the field labeled API Id and App Secret in the field labelled API Secret Key.

3. Optional: Enter credentials to ingest Alerts from the Carbon Black Cloud Data Forwarder (ITSM and SecOps Apps)

If you want to ingest Alerts using the Carbon Black Cloud Data Forwarder then ensure you have set up the Data Forwarder and ServiceNow MID server following the steps in the earlier section Set Up the Data Forwarder and Mid Server.

• For Alert Ingestion Approach, choose Data Forwarder / AWS S3 Bucket.
• Additional fields will display below the dropdown field.

• Populate the following fields with information from the earlier section, Set up the Data Forwarder and Mid Server.
○ SQS Queue URL
○ Role ARN
○ Access Key
○ Access Secret

○ Select a Validated and Up MID server from the MID server field.

• To ingest alerts from AWS S3 Bucket, the application scope must be “VMware Carbon Black Cloud”. If the application scope is other than “VMware Carbon Black Cloud” then alerts will not be ingested from AWS S3 Bucket. See Install the Apps for more information.

• Based on the amount of data consumed from the SQS Queue, the user can configure the
○ MID server JVM Memory size from Set the MID Server JVM memory size
○ Number of MID server threads from Set MID Server Thread Use

Note: Alerts from the S3 bucket will get ingested into ServiceNow even if those alerts have a different org_key than that of the configured profile.

• Click the "Next" button to advance to the next tab.

4. Optional: Configure Asset Inventory Data Ingestion

To have more information available in ServiceNow for the assets monitored by Carbon Black Cloud, enable Device Collection.

• Enter the frequency of collection in hours
• The Next Collection Time will populate after the first collection runs.

5. Optional: Configure Vulnerability Response (Vulnerability Response App)

This is required if the VR app is being used.

• Enable "Ingest Vulnerabilities"
• Select the Integration Instance in the "Integration Instance" field.
• Configure the frequency that the vulnerabilities from the Carbon Black Cloud should be ingested into ServiceNow from the "Run" field.
• If only the Vulnerability Response App is being configured, click on the "Finish" button to save the record. Otherwise continue the configuration wizard.

6. Optional: Configure Actions

Optional and requires Carbon Black Enterprise EDR.

To configure the action `Add IOC to Feed` check the "Add/Remove IoC details" checkbox to enable the configuration fields.

Provide the following fields:
• Watchlist name: Provide the name of any existing classifier watchlist or provide a new name for the watchlist.
If the watchlist specified does not exist, the application will create it.
If the watchlist exists but is not valid then it will raise the following error: "Watchlist must be empty or subscribed to a Feed".

• Report prefix: Provide the prefix for the report to be created to add the IOCs to it.
• Report severity: Specify the report severity.

Click the "Next" button to advance to the next tab.

7. Optional: Configure Alert Filtering (ITSM and SecOps Apps)

This is available with the ITSM and SecOps apps when API Ingestion is used. Alert Filtering is not supported for the Data Forwarder Ingestion method.

All alerts are supported for ingestion into ServiceNow, depending on which Carbon Black Cloud products are enabled:
• CB Analytics Alerts
• Device Control Alerts
• Watchlist Alerts
• Container Runtime Alerts
• Host Based Firwall Alerts
• Intrusion Detection System Alerts

Note: Alert Filtering is only supported when Alerts are ingested using the API. It is not supported for the Data Forwarder Ingestion method.

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on “Alert Filtering”.

• Uncheck any alert types you do not want to ingest from Carbon Black Cloud.
• Select the Minimum severity from 1-10. By default, the value is 3 for each Alert type.
• Optional: For more granular control of alert filtering, use the Custom Query field to query for a specific set of alert criteria.

Upgrading from V2.1.0 to V3.0.0:
• After upgrading the VMware Carbon Black Cloud app from V2.1.0 to V3.0.0, there will be 3 columns for Alert Types and Severity.
• Newly introduced alert types will be present in the drop down list and can be selected as required.

8. Configure Incident Creation (ITSM and SecOps Apps)

Optional: Set conditions for when Carbon Black Cloud alerts should automatically generate ServiceNow Incidents or ServiceNow Security Incidents for the ITSM and SecOps Apss respectively. If you do not want to create incident creation criteria, skip the step by clicking "Next".

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on "Incident Creation".

• An automatic incident will be created only if the "Apply Incident Creation" checkbox has been checked and the condition given in the Incident Creation field has been satisfied.

• Click on the "Apply Defaults" button to get a suggested default value for any settings.

• Check the default values to verify that the settings are what you desire for Incident Creation criteria.

• To set custom criteria for automatic alert creation select an Incident Condition field

• Provide corresponding values that meet the condition.

• Provide "OR" and "AND" operations to add more conditions.

• Click on "Add Criteria" to add more conditions as needed.

• Click the "Next" button to save changes and advance to the next tab.

Note: Only a user with the application admin role can delete the alerts. When alert(s) are manually deleted by a user and an incident is already associated to it, the user has to manage the incident manually.

9. Configure Alert Aggregation (ITSM and SecOps Apps)

Optional: Aggregate (group) multiple alerts into one Incident based on matching conditions. If you don’t want to create new alert aggregation criteria, skip the step by clicking the "Next" button.

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on "Incident Creation".

• Optional: Click on the "Apply Defaults" button to check the "Aggregate Alerts" option and populate suggested aggregation criteria.

• Review the default criteria.

If you did not apply defaults and want to configure aggregation rules, check the "Alert Aggregation" checkbox.

• To set custom aggregation criteria select the value from the list and press enter.

• Click on "New Criteria" to add more alert aggregation conditions

• Click the "Next" button to save changes and advance to the next tab.

10. Configure Alert Field Mapping (ITSM and SecOps Apps)

Map Carbon Black Cloud alert fields to ServiceNow ITSM Incident fields.

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on "Field Mapping".

• All alert fields are available for data mapping except Updated by, Effective number, Created by, Number, and Risk change.

• Click the "Apply Defaults" button to get suggestions for data mapping.

• Review the default values.

• If these are not correct for your environment, configure custom mappings
• Different Incident fields can be selected from the dropdown list as needed.

• Drag the Carbon Black Cloud alert field and drop it in the desired Incident field in the "Input Expression".
• Different Incident or Security Incident (for ITSM and SecOps Apps respectively) fields can be selected from the dropdown list as needed.

• Provide input expression values by entering a value in the text field.

• Add or remove the Incident fields by clicking on the plus (+) or minus (-) buttons respectively.

• Click the Next button.

11. Configure Scheduling (ITSM and SecOps Apps)

Configure when or how often data is collected from Carbon Black Cloud. There are two settings that can be configured:
1. Recurring Data Collection - for periodic ingestion of alerts; normal running.
2. One-Time Data Collection - for example, to populate recent data on initial setup or fill in a missing period of data

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on "Scheduling".

Note: This is only supported when Alerts are ingested using the API. It is not supported for the Data Forwarder Ingestion method.

• Check the Recurring data collection checkbox.
• Enter time Interval in seconds.

• Provide the Collection Start time as per the need from the calendar. The Collection Start date must be a future date or within 15 days prior to the current date.

Optional:
• To configure alert data ingestion for a bounded window of time in the past, check the One Time Collection Checkbox.
• Provide the Collection Start Time for the window. Only past date/times and current time-(minus)15 are acceptable as options.
• Provide the date/time for the Collection End Time of the window.

• Click the Finish button.

• After clicking Finish, a pop-up window warns that the profile is inactive and gives the option to Activate the profile or Save as an Inactive profile.

• Next you are navigated to the Configurations page where the profile created is in the list.

12. Activate or Deactivate the Profile

If you saved your configuration profile as inactive, you can activate it later.
• Navigate to the Configurations page.
• Select the checkbox next to the profile.
• Choose the "Activate" action from the "Actions on selected rows" dropdown.

Only one Configuration Profile per Carbon Black Cloud Org Key can be active at a time. If you try to make another profile with the same Org Key, a message will appear to inform you that the profile was not activated.

Deactivate a profile
• Navigate to the Configurations page.
• Select the checkbox next to the profile.
• Choose the "Deactivate" action from the "Actions on selected rows" dropdown.

13. Use the App!

App is ready to use! The Alert page will be populated based on the frequency that Alerts are created in Carbon Black Cloud and the ingest scheduling in ServiceNow.

Add the Alerts tab to related list of Incidents.

To view the alerts associated with an incident in the SecOps or ITSM app, the form view must be configured in the Incidents' related list.

1. Go to the security incident view.
2. Click on the Additional Action icon from the top left of the Incident record page.

3. Select the "Configure"
4. Select the "Related Lists"

5. Both "Available" and "Selected" tables will not be editable. Click on "Edit this view".

6. Search for "Alert->Security Incident" in the list under "Available".

7. Move "Alert->Security Incident" to the right section under "Selected" by either clicking on right arrow button ">" or by double clicking on "Alert->Security Incident".

8. Click on Save

9. Scroll Down and click on "Show All Related Lists".

10. "Alerts" Tab will be visible in the related list
Add related lists to the “Computers” and “Virtual Machine Instances”

After configuring Asset ingest, additional SOAR actions are available on CIs in the CMDB. The following lists can be added to Computers and Virtual Machines.
- Asset Information - Get Asset Information
- Events - Get Enriched Events
- Carbon Black Running Processes - Get Running Processes at Carbon Black
- File Systems - Get Directory Information
- Process Metadata - Get Process Metadata
- Registry Keys - Get Registry Key Information on Asset
- Submit Live Query Run - Submit Live Query Run
- Alert Recommendations - Get Alert Recommendations
- Observables - Get File on Asset, Download Binary from UBS
1. Navigate to Computers or Virtual Machine Instances.

2. Open Computers table. A list of computer records will be shown.

3. Open any record.
4. Click on "Additional actions" (Hamburger menu).

5. Click on "Configure" and select the "Related Lists" option.

6. Click on "Edit this view".

7. Search for the related list that needs to be added.
The example shows a related list for Events. Click on Event->Configuration Item in the left list. Then click on the ">" button (right arrow) to move it to the list of selected items on the right.

8. Click on the "Save" button.

9. Scroll down to the related lists and check the selected related lists have been added. In the example, Events.

Vulnerability Response - Delete Integration Instance

The Vulnerability Response App uses an Integration Instance. Follow these steps to delete an instance.

1. Check and set the scope of the Integration Instance

To delete an integration instance the scope must be "Carbon Black Cloud VR Integration". Check this and change if if necessary.

1. Click on Settings

2. Click on "Developer" under System Settings on the left.

3. Enable "Show application picker in header".

4. Click on X(Cross) to close the popup.
5. Select the "Carbon Black Cloud VR Integration" application from the dropdown.x

The scope of the integration instance has been set.

2. Delete the Integration Instance

1. Navigate to the VR Integration Instances

2. Select the Integration Instance that needs to be deleted.

3. Click on the "Actions on selected rows" drop-down.

4. Click on the "Delete" option.

5. Click on the "Delete" button

6. The Integration Instance will be deleted successfully.

Uninstall the App

To uninstall the app, the builtin role System Administrator is required.

Steps to Uninstall an App

• Navigate to System Applications > All Available Applications > All
• Check the Installed checkbox in the Obtained dropdown.

• Search for the application in the Search Bar.
• Once you locate the application, click "Uninstall" from three dots on the right side.

If the Carbon Black Cloud API Key is no longer being used, it should be deleted from Carbon Black Cloud.

Support and Resources

Troubleshooting guide
Use the Developer Community Forum to discuss issues and get answers from other API developers in the Carbon Black Community.
Report bugs and change requests to Carbon Black Support.
View all API and integration offerings on the Developer Network along with reference documentation, video tutorials, and how-to guides.

Give Feedback

New survey coming soon!

Last modified on February 28, 2024

Carbon Black Cloud

Page Contents