Apps for ServiceNow - User Guide


Overview

Depending on what features you have with ServiceNow, Carbon Black offers two main Integration apps:

  • ITSM App: When an alert occurs in Carbon Black Cloud, create a ticket in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow IT service management (ITSM) module provides endpoint device context and metadata within tickets to streamline IT workflows and reduce manual data collection.
  • SecOps App: When an alert occurs in Carbon Black Cloud, create an incident in ServiceNow. The VMware Carbon Black Cloud integration with the ServiceNow SecOps module provides access to additional endpoint response actions, threat intelligence and metadata to contextualize and accelerate security investigations.

Both apps have a reliance on the Base App, which is used to manage the connection between Carbon Black Cloud and ServiceNow and integrate relevant endpoint alerts and context directly into ServiceNow ticketing and incident workflows. The Base app is automatically installed when installing the ITSM app or SecOps app

Roles and Permissions

For all actions described in this user guide, the VMware CBC Analyst (x_vmw_cb_connector.analyst) role is required.

Configuration of the application, including of profiles, requires VMware CBC Admin (x_vmw_cb_connector.admin). Details on Roles and Users are on the Configuration page.

Domain Separation (Multi-tenancy)

  • Use the Domain Separation feature to isolate Carbon Black Cloud data from different organizations and manage access controls.
  • You must activate the Domain Support - Domain Extensions Installer plugin to use this feature.
  • Use the Domain Separation feature to create child domains and assign users to a specific domain.
  • Users can have multiple child domains assigned to a Parent domain.
  • Each child domains can have separate Configuration Profiles with different alert records.

Alert Ingestion

Alerts are ingested from Carbon Black Cloud and populate the Alerts table in ServiceNow.

Configure a profile to ingest Alerts from Carbon Black Cloud into ServiceNow.

Three types of alerts are supported for ingestion into ServiceNow, depending on the Carbon Black Cloud subscription you have purchased:

  • CB Analytics Alerts
  • Device Control Alerts
  • Watchlist Alerts

Once you configure the Profile and activate data collection for the REST API approach, the connector app fetches the alerts from Carbon Black Cloud and populates them in the Alerts table in ServiceNow.

• Navigate to VMware Carbon Black Cloud > Alerts.

• Open any Alert record

Automatic Incident Creation

Configure a profile to have ServiceNow ITSM Incidents (ITSM App) or ServiceNow Security Incidents (SecOps App) created automatically when Alerts are ingested, based on Incident Creation and Alert Aggregation settings.

  • If the “Apply Incident Creation” checkbox is enabled, the app will automatically create an Incident based on the Incident Creation and Alert Aggregation criteria specified.
  • If you have provided any conditions for Alert Aggregation, the app will create an Incident and link alerts in the Incident based on that Alert Aggregation conditions.
  • Alert fields are mapped to Incident fields based on the saved profile in the Field Mapping section of the Configuration Profile.

Manual Incident Creation

Incidents can be created manually from alerts; a ServiceNow ITSM Incident if you are using the ITSM App or a ServiceNow Security Incident with the SecOps App. The fields of a manually created Incident are populated based on the Field Mapping settings of the Configuration Profile that ingested the alert.

Incidents can only be created for alerts in an Open state.

You must select “Carbon Black Cloud - ServiceNow SecOps Integration” or “Carbon Black Cloud - ServiceNow ITSM Integration” in the “Select Integration To Create Incident” field in the Configuration profile in order to create Incidents from alerts.

• Navigate to VMware Carbon Black Cloud > Alerts


• Click to view any alert record in an Open state.

• Click on the "Create Incident" button (top/bottom).

• An Incident will be created for that alert, alert fields mapped to the Incident field, and the Security Incident ID displayed in the alert record.

• Open the Incident by clicking “Preview this record” > “Open record”.

To view the list of alerts associated with an Incident:
• Scroll down on the Incident Page
• Under “Related Links,” click on “Show All Related Lists”
• A new set of tabs will appear underneath.
• Click on the “Alerts” tab to view the list of alerts associated to the Incident.
An Alert can be manually added to an existing Incident.

• Go to the Alert page
• Clicking on the “Search” button next to the “Incident” field ( i.e. “Looking using list”).

• The Incident table will be opened in a new tab.
• Search and select an Incident to attach the alert to the selected Incident.

• The alert is now attached to the Incident. Open the Incident from the reference provided as mentioned in the above steps.

Bi Directional Sync

Updating the status of alerts in either ServiceNow or Carbon Black Cloud will result in the update flowing to the other system.

  • Dismissing an alert in ServiceNow will also dismiss the alert in Carbon Black Cloud. This happens automatically.
  • When an Alert is Dismissed or Undismissed in Carbon Black Cloud, use the “Sync Selected Alerts” function to update the alert’s state in ServiceNow.
  • Note: The alerts table may appear differently in different browsers.

Synchronise when Alerts are Dismissed and Undismissed in Carbon Black Cloud

If an alert was Dismissed or Undismissed in Carbon Black Cloud, synchronise the ServiceNow status by clicking the “Sync Selected Alerts” button.

  • If an alert is dismissed in Carbon Black Cloud, then in ServiceNow the alert, workflow, remediation status, and close note will update.
  • If an alert is undismissed in Carbon Black Cloud, in ServiceNow the alert status will update to “OPEN,” and the workflow, remediation status and close note will also update.

Use this procedure after Alerts that were ingested to ServiceNow have been Dismissed or Undismissed in the Carbon Black Cloud console.

• In ServiceNow, open the Alerts table.
• Select alerts that were updated in Carbon Black Cloud to synchronise with Service Now.
• Click the “Sync Selected Alerts” button

• A pop-up will display the message “Selected alerts synced successfully with Carbon Black Cloud alerts.”

• The app updates the status, workflow, remediation status and close note for each Alert record in ServiceNow based on the status in Carbon Black Cloud.
• Open the selected alerts in ServiceNow and check the status, workflow, remediation status and close note.

Close Incident

When an Incident is closed, if there are open alerts associated with it then a consent form appears to select the alerts you want to dismiss before closing the Incident. The consent form will not appear if all alerts associated with the Incident are already dismissed.

• Navigate to the ITSM Incident to be closed.
• Go to the State field, select Closed.
• Fill out the mandatory fields - Caller information, Resolution notes, and Resolution code.

• Right-click on the incident taskbar and select the Save option.

• After clicking Save, a consent form displays.
• Choose the alerts to dismiss when the ITSM Incident is closed.
• Click the Resolve button. Clicking the Resolve button will close the ITSM Incident and dismiss only the selected alerts.

• The ITSM incident is resolved.
• Navigate to Security Incident > Show All Incidents.
• Select the Incident to be closed.
• Go to the State field, select Recover.

• Right-click on security incident taskbar, and select the Save Option

• For “State”, select “Closed”.

• Provide the appropriate close code and close note in Closure Information.
• Right click on the security incident taskbar and click the Save option.

• After clicking Save, a consent form displays.
• Choose the alerts to dismiss when the Security Incident is closed.
• Click the Resolve button. Clicking the Resolve button will close the Security Incident and dismiss only the selected alerts.

• The incident is resolved.

• The selected alerts will be dismissed.

MITRE TTP Classification - SecOps App Only

Using the Threat Intelligence plugin, TTPs from Carbon Black Cloud alerts are enriched and visualized in ServiceNow Security incident tickets using the MITRE ATT&CK framework .

To perform the MITRE TTP Classification, install and configure the Threat Intelligence plugin.
before performing MITRE TTP classification on a Security Incident.

The Threat Intelligence plugin and MITRE TTP Classification is only available when using the ServiceNow SecOps module.

MITRE TTP classification is compatible with alerts whose Alert Type is CB_ANALYTICS.

  • When a Security Incident is created from an alert which has Alert Type of CB_ANALYTICS, a the MITRE TTPs from the Alert’s Threat Indicators field are mapped to Security Incident’s “MITRE ATT&CK Technique” field. If there are multiple TTP values, they are mapped as a list separated by commas(,).
  • MITRE TTP Classification works on Security Incidents created both manually and automatically.
  • If field mappings are included in the Profile for the MITRE Fields, then they are overridden according to the MITRE TTP present in corresponding Alerts.

• Navigate to Alerts
• Select alerts that are alert type "CB_ANALYTICS".

• On the alert, view the Threat Indicator > TTPS field to check whether the alert has MITRE TTP values. (If not, the MITRE ATT&CK Technique on the incident will not be populated.)

• Click on the Create Security Incident button.

• Once the Security Incident gets created, check its “MITRE ATT&CK Technique” value, which has a comma-separated list of all the TTPs that are part of this Security Incident.

• MITRE ATT&CK Technique will display the MITRE TTP ID and MITRE TTP name from the linked alerts.
• These can be visualized in the matrix above under the “MITRE ATT&CK Card” tab on the Security Incident page.
• Since the Security Incident above has multiple alerts, it has multiple MITRE TTPs values.

SOAR (Security Orchestration, Automation, and Response) Actions

The Apps have a collection of SOAR (Security Orchestration, Automation, and Response) actions that are initiated on Alerts from the Security Incident record page in ServiceNow and execute in Carbon Black Cloud.

To execute a SOAR action:

  • Login to ServiceNow.
  • Navigate to an Incident that has alert(s) linked to it.
  • In the Related Links section, click on Show All Related lists > Alerts.
  • Select one or more alerts.
  • From Actions on Selected Rows, Select the SOAR action to execute.


Each supported action is described in the following section.

Note: SOAR Actions are available based on their availability in the sensors deployed and the permissions configured for the API credentials.

Ban a process hash for selected alerts.
Selecting the Ban process hash action displays a pop-up with three listed fields:
• Process Name
• Process Hash
• Description

The threat_cause_actor_sha256 field from the alert record is the hash to be banned.
You can update any of the details in the pop-up form before initiating the ban.
Unban a process hash for selected alerts.
Selecting the Unban process hash action displays a pop-up with the field:
• Process Hash

The threat_cause_actor_sha256 field from the alert record is the hash to be unbanned.
You can update the process hash field from the pop-up form before initiating the ban.
This action will delete a file on the Endpoint of selected alerts.
• Selecting this action displays a pop-up asking you to confirm that you want to delete the file.
• The file named in the “threat_cause_actor_name” field of the selected alerts will be deleted.
• If you try to run this action on an alert that does not have a “threat_cause_actor_name” file attached to it, the action will not execute and a worknote is added to the Incident.
Dismiss Alerts in ServiceNow, and the workflow change will be sent to Carbon Black Cloud.
Alerts must be in the Open state to be dismissed.

• Navigate to Alerts.
• Select any alert record that is in the Open state.
• Click on Dismiss Alert (top/bottom).

• Select an appropriate value from the Reason dropdown field and optionally add a comment. This comment will be written to the alert and visible in Carbon Black Cloud.

• Click on OK to dismiss the alert.
• That alert is dismissed in ServiceNow and in Carbon Black Cloud.
• After successful dismissal, alert state is updated to Dismissed.

• Workflow, Remediation State and Close Note are also updated for that alert.
Fetch process details of selected alerts from the Security Incident’s related list.
• Update the Process Metadata field of selected alerts.
• View the Process Metadata record by navigating through the Alerts record.
Get the metadata of the binary file associated with particular alerts from the Security incident related list.
• Update the Binary file metadata field of selected alerts
• View the Binary file metadata record by navigating through the Alerts record page.
Get endpoint information for selected alerts from the Security Incident’s related alert list.
• Endpoint information is displayed the table “Endpoint Info” for the Selected alerts at the bottom of the alert record page after the “Get Endpoint Info” is performed successfully.
• Associated alerts are displayed in the Endpoint Info record related list.
• Associated Endpoint Info is displayed in the alerts table’s related list.
Get the enriched events for particular alerts from the Security incident’s related alert list.
• Store the Enriched Events data of selected alerts in a table named “Events” at the bottom of the Alert record page.
• A list field is added in the Enriched Events table that stores the alert ids of the alerts associated with the enriched event.
• This is only available for alerts of type CB_ANALYTICS.
Get a list of running processes on an endpoint (device ID) associated with the alerts in the Security Incident’s related alert list.
• A confirmation pop-up is displayed after performing “Get Running Process”
• Processes are displayed in the “Running processes” table at the bottom of the Alert record page.
• There is a reference to the alert included. Use this to navigate from the running process record to its associated alert(s) and back.
Update the policy for the endpoint of selected alerts.
• Enter the Policy ID of the new Policy to apply to the endpoint.
• The updated Policy ID and Policy Name will display in the Selected alerts record.

To check the Policy ID URL in Carbon Black Cloud:
• Login to Carbon Black Cloud.
• Click on Enforce from the left side menu.
• Click on the Policies option and select a specific Policy from the list.
• Check the URL. The numerical value at the end of the URL is the policy ID.
Quarantines the endpoints associated with the selected alerts.
• On successful execution, a note is posted to Carbon Black Cloud that reads, “Device associated with this alert has been quarantined from ServiceNow.”
• If this action is run on alerts whose device OS is “LINUX” or “MAC” and sensor version is less than “2.13”, a note displays in Carbon Black Cloud that reads, “This action is not supported on Linux devices with sensor version less than 2.13 installed.”
• If the action is successful, a worknote message is added to the Incident record indicating that the action occurred.
Unquarantine the endpoints associated with the selected alerts.
• On successful execution, a note is posted to Carbon Black Cloud that reads, “Device associated with this alert has been unquarantined from ServiceNow.”
• If this action is run on alerts whose device OS is “LINUX” and sensor version is less than “2.13”, a note displays in Carbon Black Cloud that reads, “This action is not supported on Linux devices with sensor version less than 2.13 installed.”
• If the action is successful, a worknote message is added to the Incident record indicating that the action occurred.
This action adds the Indicator of Compromise (IOC) to a specific Feed.
• The watchlist and report details must be configured in the Actions section of the Configuration Profile.
• Add the IOC to the Feed to impact the alerts generated for the watchlist type.

• If Watchlist is configured correctly in the profile, a pop-up displays.
• Select the Field and provide the values of IOC to be added in the Feed.
• The report is created or updated to add the IOC.

• If the Actions section in the associated Configuration Profile is not configured, a message indicates that you need to configure the action.
This action removes an IOC from a specific Feed.
• The watchlist and report details must be configured in the Actions section of the Configuration Profile.
• Removing the IOC from the Feed can impact the alerts generated for watchlist type.

• If a Watchlist is configured correctly in the profile, a pop-up displays.
• Select the Field and provide the values of IOC to be removed from the Feed.
• The report is updated by removing the IOC.

• If the Actions section in the associated Configuration Profile is not configured, a message indicates that you need to configure the action.
Kill the running process on an endpoint of selected alerts.
• Perform this action from the related list of Running Processes table from the Alert record page.

• A confirmation dialog displays indicating that the kill process action has begun.
• On successful killing of the process, the state in the Running Processes table for that process updates to “KILLED” and that process no longer displays in the “Running Processes” related list in the Alerts table.
• Since this action is executed from the “Running Processes” related list from the Alert record page, a Worknote is created in the Security Incident for “Kill Process”

Support and Resources

Last modified on July 15, 2022