Apps for ServiceNow - Installation and Configuration Guide


Overview

To integrate Carbon Black Cloud and ServiceNow, you will use either the ITSM App or SecOps App depending on the ServiceNow module you have. Both of these apps will install the necessary prerequisites including the VMware Carbon Black Cloud Base Connector App for ServiceNow which takes care of the connectivity between ServiceNow and Carbon Black Cloud to collect alerts from Carbon Black Cloud and store them in the Alerts table in ServiceNow and enable actions to be initiated in ServiceNow and execute in Carbon Black Cloud.

Getting Started

The configuration guide describes:

Prerequisites

  1. Access to Carbon Black Cloud

  2. Access to ServiceNow

    • Quebec and Rome are the supported versions.
    • ServiceNow ITSM or ServiceNow SecOps
  3. Determine whether you will use the ITSM or SecOps app; this will align to the ServiceNow module you are licensed for.

  1. If you are using the SecOps module, then install and configure the Security Incident Response and Threat Intelligence plugins.

    The SecOps App requires the following plugins:
    • Security Incident Response
    • Threat Intelligence

    To install these plugins:
    1. Log in to your instance with your user credentials.
    2. Verify you have the system administrator (admin) role.
    3. Navigate to System Definition > Plugins in your instance.
    4. Search for and install each plugin.

    To use the MITRE features, configure the Threat Intelligence plugin.
    1. Prerequisite: Threat Intelligence plugin has been installed - see earlier step
    2. Navigate to TAXII profile
    3. Click on MITRE ATT&CK®

    4. Click on “Enterprise ATT&CK” in MITRE ATT&CK®’s TAXII Collections table

    5. Click on Integration Runs.
    6. Select the Number of Integration Runs you want to execute. If Integration Run is empty then click on New to Create a New Integration Run and then click on Process.
    7. Click on Execute Now.

    8. Wait until the state changes to "complete".

  2. Activate Extensions

    The Domain Support - Domain Extensions Installer ServiceNow plugin must be activated to enable multitenancy support.



    To activate the plugin:
    1. Sign in to your instance email account at https://developer.servicenow.com/
    2. From My Instance, under Instance Action, select Activate Plugin

    3. Search for the plugin and click Activate > Activate plugin

    4. When you click on "Activate plugin", a request is sent for plugin activation. Once the Plugin is activated, you will receive a notification email.

    5. Now that the plugin is activated on the instance, you can install the application.

Install the App

There is an ITSM App and a SecOps App available. The one you install will depend on whether you have the ITSM or SecOps module in ServiceNow.

Installation requires either:

Or the VMware CBC Admin (x_vmw_cb_connector.admin) role

  • This will only be available if it has been configured during a previous installation of a Carbon Black Cloud app.
1. Download the VMware Carbon Black Cloud ITSM or Secops app from the ServiceNow App store for the ServiceNow instance and enter your user credentials. The app you should download is determined by the ServiceNow module you are using.
VMware Carbon Black Cloud for IT Service Management
VMware Carbon Black Cloud for Security Operations

3. Log in to the ServiceNow instance on which you want to install the application.
4. Navigate to System Applications > All Available Applications > All

5. Click the Not Installed tab. A list of applications available for installation will be displayed.
6. Locate the VMware Carbon Black Cloud ITSM or SecOps app, select it, and click Install.
7. The application will be installed on your instance.

Configure API Access

ServiceNow requires an API key with the appropriate permissions to make the API calls. Create the key in Carbon Black Cloud.

Get your Org Key from Carbon Black Cloud on the General > Settings page.

Get the Carbon Black Cloud URL from the Authentication Page or the URL when you are logged in to the Carbon Black Cloud console.

The ITSM and SecOps Apps support the same actions.

Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

ServiceNow Action Notation Name Permissions
Configuration Profile - Create/Update/Delete org.alerts READ
Alert Filtering - Create/Update/Delete org.alerts READ
Incident Creation - Create/Update/Delete org.alerts READ
Field Mapping - Create/Update/Delete org.alerts READ
Scheduling - Create/Update/Delete org.alerts READ
Alert Ingestion - Update org.alerts READ
Bi Directional Sync org.alerts READ
Close Incident and alert Dismissal org.alerts.dismiss EXECUTE
Manual Alert Dismissal org.alerts.dismiss EXECUTE
Ban / Unban process hash org.reputations CREATE
Delete File on Endpoint org.liveresponse.session org.liveresponse.file Org.liveresponse.session- CREATE, READ, DELETE org.liveresponse.file - READ, DELETE
Dismiss Alerts org.alerts.dismiss EXECUTE
Get Process Metadata org.search.events CREATE, READ
Get Binary Metadata from UBS ubs.org.sha256 READ
Get Endpoint Information device READ
Get Enriched Events org.search.events CREATE, READ
Get Running Processes org.liveresponse.session org.liveresponse.process org.liveresponse.session CREATE, READ, DELETE org.liveresponse.process READ
Update Endpoint Policy device.policy UPDATE
Quarantine / Unquarantine Endpoint device.quarantine EXECUTE
Kill process on an endpoint org.liveresponse.session org.liveresponse.process org.liveresponse.session- CREATE, READ, DELETE org.liveresponse.process- READ, DELETE
Add or remove an IoC to or from a Feed org.feeds CREATE, UPDATE

In Carbon Black Cloud:

  1. Create a custom access level with the required permissions from the previous table.
  2. Create an API Key of type Custom and assign the Access Level created in the previous step.

See Authentication for details about API Keys in Carbon Black Cloud.

In VMware Cloud Services Platform:

  1. Create a custom role with the required permissions from the previous table.
  2. Create an OAuth App and assign the custom role created in the previous step.

See Authentication for details about API Keys in Carbon Black Cloud.


Configure Roles and Users

There are two application specific roles to be configured in ServiceNow; one with the privileges to administer the apps and one for analysts.

After these roles have been configured, grant them to users.

  1. The built in Service Now System Administrator role grants users with that role the permissions to:
    • Install the integration application plugins
    • Read, write and delete any record
    • Execute all the SOAR actions
    • View Application Logs
    • Access Support Contact
    • Uninstall the Application
The included roles need permissions added to them.
1. Navigate to the Roles Page in the ServiceNow search menu on the left.
2. Find and open the role `x_vmw_cb_connector.admin`.

3. Scroll down and click on the “Edit” button.

4. Search for the roles to be added. Fore each role select the role and move it to `Contains Roles List` by either double-clicking on the role or clicking on the right arrow.

To VMware CBC Admin (x_vmw_cb_connector.admin) add the roles:
• Itil
• itil_admin
• export_set_scheduler
• flow_operator
• workflow_admin

Which will grant users with that role the permissions to
• Install the integration application plugins
• Create Users
• Configure the application for REST API approach or Data Forwarder with AWS S3 Bucket approach
• View Application Logs
• Manually create an Incident from Alerts
• Configure automatic creation of an Incident from Alerts
• Manually dismiss an Alert
• Close Incidents
• Perform SOAR action on Alerts
• Access Support Contact.

5. Repeat steps two to four to add the following roles to VMware CBC Analyst (x_vmw_cb_connector.analyst):
• Itil
• itil_admin
• export_set_scheduler
• flow_operator

Which will grant users with that role the permissions to
• Access the Application
• Manually create an Incident from Alerts
• Manually dismiss an Alert
• Close Incidents
• Perform SOAR action on Alerts
• Access Support Contact.
Images for each step are included in the ITSM roles configuration above.
1. Navigate to the Roles Page in the ServiceNow search menu on the left.

2. Edit the following bundled roles, by searching for the bundled roles and then selecting Contains Role > Edit

3. To VMware CBC Admin (x_vmw_cb_connector.admin) add the roles:
• sn_si_admin
• export_set_scheduler
• flow_operator
• workflow_admin

Which will grant users with that role the permissions to
• Install the integration application plugins
• Create Users
• Configure the application for REST API approach
• View Application Logs
• Manually create a Security Incident from Alerts
• Configure automatic creation of an Incident from Alerts
• Manually dismiss an Alert
• Close Incidents
• Perform SOAR action on Alerts
• Apply MITRE Classification
• Access Support Contact.

4. To VMware CBC Analyst (x_vmw_cb_connector.analyst) add the roles:
• sn_si_analyst
• export_set_scheduler
• flow_operator

Which will grant users with that role the permissions to
• Access the Application
• Manually create an Incident from Alerts
• Manually dismiss an Alert
• Close Incidents
• Perform SOAR action on Alerts
• Apply MITRE Classification
• Access Support Contact.
Add or modify users to assign the Analyst or Admin role as required.
User management requires the System Administrator role.

To create a User:
1. Navigate to Organization > Users.
2. Click the Users module.

3. Above the User ID list, click on the “New” button. A new User form displays.

4. Fill in the form.
• User ID - Unique User ID for the role in the current ServiceNow Platform instance.
• First Name - First Name of the user being created
• Last Name - Last Name of the user being created
• Title - Job Title, for example, Security User
• Password - Unique password created for this user
• Email - Unique email address
5. Click “Submit.” Now the user has been created. See the next section to assign roles.

1. Click the name of the user you want to assign new roles to.

2. Once the record is open, scroll down and go to the Roles tab, and click “Edit”.

3. When the Edit Members form displays, select the required roles from the Collection and move it to the Roles list.

• Assign x_vmw_cb_connector.admin for Administrators of the Carbon Black Cloud app. Users with this role can configure the applications as well as do everything an analyst can.

• Assign x_vmw_cb_connector.analyst for other users of the Carbon Black Cloud app. Users with this role can create tickets and perform actions in the integration, and are limited to viewing configuration.

4. Click save


Configure a profile

A profile is required to control the rules for ingestion of data and incident creation.

To configure a new profile the role VMware CBC admin is required.

Create a new Configuration Profile. This will start a wizard that will walk you through configuring the ServiceNow App. Differences between the ITSM App and SecOps App are few and clearly identified.
1. Login to the ServiceNow instance
2. Navigate to VMware Carbon Black Cloud > Configurations.

3. Click on the “New” button to create a Configuration Profile.
4. Select “Carbon Black Cloud - ServiceNow ITSM Integration” or “Carbon Black Cloud - ServiceNow SecOps Integration” from the “Select Integration to Create Incidents” dropdown, based on the ServiceNow module you are using.
• Multiple values in the order field of profile configuration can be added using space between each integer.
5. Enter a unique “Name”, “Order”, and “Description” in the Overview section.

6. Enter a valid “Base URL”, “Org Key”, “API ID”, and “API Secret Key” in the Credentials section. These are the values obtained from Carbon Black Cloud in the earlier Configure API Access in Carbon Black Cloud section.
• If you are using an OAuth App, enter the App Id in the field labeled API Id and App Secret in the field labelled API Secret Key.
• For Alert Ingestion Approach, choose REST API. In a future release the option of the Data Forwarder will be added.

Optional: If configuring the action `Add IOC to Feed`, then
• Check the “Add/Remove IoC details” checkbox to enable the configuration fields.

Provide the following fields:

• Watchlist name: Provide the name of any existing classifier watchlist or provide a new name for the watchlist.
If the watchlist specified does not exist, the application will create it.
If the watchlist exists but is not valid then it should raise the following error: "Watchlist must be empty or subscribed to a Feed"

• Report prefix: Provide the prefix for the report to be created to add the IOCs to it.
• Report severity: Specify the report severity.

Click the “Next” button to advance to the next tab.
Three types of alerts are supported for ingestion into ServiceNow, depending on which Carbon Black Cloud products are enabled:
• CB Analytics Alerts
• Device Control Alerts
• Watchlist Alerts

Note: Alert Filtering is only supported when Alerts are ingested using the API. It is not supported for the Data Forwarder Ingestion method.

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on “Alert Filtering”.

• Uncheck any alert types you do not want to ingest from Carbon Black Cloud.
• Select the Minimum severity from 1-10. By default, the value is 3 for each Alert type.
• Optional: For more granular control of alert filtering, use the Custom Query field to query for a specific set of alert criteria.

Optional: Set conditions for when Carbon Black Cloud alerts should automatically generate ServiceNow Incidents or ServiceNow Security Incidents for the ITSM and SecOps Apss respectively. If you do not want to create incident creation criteria, skip the step by clicking “Next”.


To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on “Incident Creation”.

• An automatic incident will be created only if the "Apply Incident Creation" checkbox has been checked and the condition given in the Incident Creation field has been satisfied.

• Click on the “Apply Defaults” button to get a suggested default value for any settings.

• Check the default values to verify that the settings are what you desire for Incident Creation criteria.

• To set custom criteria for automatic alert creation select an Incident Condition field

• Provide corresponding values that meet the condition.

• Provide “OR” and “AND” operations to add more conditions.

• Click on “Add Criteria” to add more conditions as needed.

• Click the “Next” button to save changes and advance to the next tab.

Note: Only a user with the application admin role can delete the alerts. When alert(s) are manually deleted by a user and an incident is already associated to it, the user has to manage the incident manually.
Optional: Aggregate (group) multiple alerts into one Incident based on matching conditions. If you don’t want to create new alert aggregation criteria, skip the step by clicking the “Next” button.

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on “Incident Creation”.

• Optional: Click on the “Apply Defaults” button to check the "Aggregate Alerts" option and populate suggested aggregation criteria.

• Review the default criteria.

If you did not apply defaults and want to configure aggregation rules, check the “Alert Aggregation” checkbox.

• To set custom aggregation criteria select the value from the list and press enter.

• Click on “New Criteria” to add more alert aggregation conditions

• Click the “Next” button to save changes and advance to the next tab.

Map Carbon Black Cloud alert fields to ServiceNow ITSM Incident fields.

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on “Field Mapping”.

• All alert fields are available for data mapping except Updated by, Effective number, Created by, Number, and Risk change.


• Click the “Apply Defaults” button to get suggestions for data mapping.

• Review the default values.

• If these are not correct for your environment, configure custom mappings
• Different Incident fields can be selected from the dropdown list as needed.

• Drag the Carbon Black Cloud alert field and drop it in the desired Incident field in the “Input Expression”.
• Different Incident or Security Incident (for ITSM and SecOps Apps respectively) fields can be selected from the dropdown list as needed.

• Provide input expression values by entering a value in the text field.

• Add or remove the Incident fields by clicking on the plus (+) or minus (-) buttons respectively.

• Click the Next button.

Configure when or how often data is collected from Carbon Black Cloud. There are two settings that can be configured:
1. Recurring Data Collection - for periodic ingestion of alerts; normal running.
2. One-Time Data Collection - for example, to populate recent data on initial setup or fill in a missing period of data

To change this configuration after the initial setup, navigate to VMware Carbon Black Cloud > Configurations and click on “Scheduling”.


• Check the Recurring data collection checkbox.
• Enter time Interval in seconds.

• Provide the Collection Start time as per the need from the calendar. The Collection Start date must be a future date or within 15 days prior to the current date.

Optional:
• To configure alert data ingestion for a bounded window of time in the past, check the One Time Collection Checkbox.
• Provide the Collection Start Time for the window. Only past date/times and current time-(minus)15 are acceptable as options.
• Provide the date/time for the Collection End Time of the window.

• Click the Finish button.

• After clicking Finish, a pop-up window warns that the profile is inactive and gives the option to Activate the profile or Save as an Inactive profile.

• Next you are navigated to the Configurations page where the profile created is in the list.

If you saved your configuration profile as inactive, you can activate it later.
• Navigate to the Configurations page.
• Select the checkbox next to the profile.
• Choose the “Activate” action from the “Actions on selected rows” dropdown.

Only one Configuration Profile per Carbon Black Cloud Org Key can be active at a time. If you try to make another profile with the same Org Key, a message will appear to inform you that the profile was not activated.

Deactivate a profile
• Navigate to the Configurations page.
• Select the checkbox next to the profile.
• Choose the “Deactivate” action from the “Actions on selected rows” dropdown.
App is ready to use! Alert page will be populated based on frequency that Alerts are created in Carbon Black Cloud and ingest scheduling in ServiceNow.

Uninstall the App

To uninstall the app, the builtin role System Administrator is required.


• Navigate to System Applications > All Available Applications > All
• Check the Installed checkbox in the Obtained dropdown.

• Search for the application in the Search Bar.
• Once you locate the application, click “Uninstall” from three dots on the right side.

If the Carbon Black Cloud API Key is no longer being used, it should be deleted from Carbon Black Cloud.

Support and Resources

Last modified on July 15, 2022