Products‎ > ‎

ServiceNow Guide


Pre-Requisites


 ServiceNow Release: Istanbul or higher
 ServiceNow Plugin: Vulnerability Response
 sRTMS update set for ServiceNow

Plugin procedure

  1. Navigate to System Definition > Plugins.
  2. Right-click the plugin name "Vulnerability Response" on the list and select Activate/Upgrade.

Update Set procedure

  1. Elevate privileges to the security_admin role.
  2. Navigate to System Update Sets > Retrieved Update Sets.
  3. Click the link Import Update Set from XML.
  4. Click Choose File and select an XML file.
  5. Click Upload.

ServiceNow Role

  • Assign the role "x_85303_srtms.srtms_admin" to the ServiceNow fatstacks administrator.
 Role NameDescription 
 x_85303_srtms.srtms_admin fatstacks administrator role

ServiceNow API User

  • if ServiceNow CMDB is used as a discovery source. fatstacks will require a ServiceNow user with the following rules enabled.
 User Attributes/Roles Values Notes
 Active Yes 
 Web service access only Yes 
 Role(s) sam The user only needs read-access to:
  • cmdb_ci_computer
  • cmdb_sam_sw_install 


Getting Started


From the left nav, search for "fatstacks" > Settings 

  1. Under Settings > fatstacks Credentials
  2. Fill License, Login & Password with attributes received from fatstacks
  3. Under Settings > ServiceNow Source
  4. Enable ServiceNow Source, type ServiceNow Login & Password used by sRTMS to pull CMDB data
  5. Click "Run sRTMS"
  6. View Logical Vulnerabilities
    • fatstacks > Overview & ProductCVEs
    • Vulnerability > Overview & Vulnerable Items

Vulnerability Response

This integration is populating the native tables of the Vulnerability Response Plugin.

Vulnerable Items

For each open vulnerability identified by sRTMS a new Vulnerable Item will be created in ServiceNow.

The vulnerability will be created with the following datapoints:
  • Configuration Item
  • Vulnerability (cve)
  • Vulnerable software (cpe)
  • Installation
If the vulnerability has previously been created in ServiceNow by a 3rd party scanner (e.g: Qualys, Rapid7, Tenable). sRTMS won't create a duplicate entry, however it will analyze the existing vulnerability, and if key items are missing (Vulnerable Software, Installation), sRTMS will update the Vulnerable Item with this information.

servicenow vulnerable items
 

Navigation

This section describes the fatstacks navigation menu, and pages.

Menu "left nav"


servicenow left nav

Security Overview

This page displays the logical vulnerabilities identified by sRTMS

servicenow security overview

List of Widgets

 Widget Description
 Affected Devices Number of  devices affected by a vulnerability
 Open Vulnerabilities Total number of vulnerabilities across devices
 Severity Breakdown of vulnerability count per severity
 is Patch Available ? Breakdown of open vulnerabilities that could have been patched with a known available patch
 Top 10 Manufacturers Display Top 10 impacted manufacturers
 Top 10 Products Display Top 10 impacted products
 Top 10 Versions Display Top 10 impacted versions
 ProductCVEs Detail list of devices impacted by open vulnerability, group by severity


ProductCVEs

The ProductCVEs page contains the list of logical vulnerabilities identified by sRTMS.

servicenow product cves

Settings

Main tab "fatstacks Credentials"
servicenow settings fatstacks credentials


List of Actions

 Button Description
 Update Update the setting page
 Run sRTMS Launch a sRTMS process independently of the scheduler
 Stop sRTMS Stop running sRTMS process. Attention: depending of the sRTMS stage, user will need to also kill the active transaction to stop a running process

List of Attributes

 Tab Attribute Description State
 Main Service Service Name: sRTMS read only
 Main Last Run Last Time a sRTMS job was run read only
 Main Status Status of the current sRTMS job read only
 Main URL sRTMS URL
 Default value: http://13.64.112.137:11000/
 mantatory
 fatstacks Credentials License sRTMS License
 Unique per customer
 mantatory
 fatstacks Credentials Job Name sRTMS JobName
 Default Value: snow
 mantatory
 fatstacks Credentials Login sRTMS Login access
 Unique per customer
 mantatory
 fatstacks Credentials Password sRTMS Password access
 Unique per customer
 mantatory


ServiceNow Source

servicenow settings servicenow source

List of Attributes

 TabAttribute  Description State
 ServiceNow Source ServiceNow Source if enable: ServiceNow CMDB will be use as a sRTMS source.
 CMDB data will be sent to sRTMS for Logical Vulnerability identification
 
 ServiceNow Source ServiceNow Login User Login uses by sRTMS to call ServiceNow API
 User needs read access to CMDB tables:
  •  cmdb_ci_computer
  •  cmdb_sam_sw_install
Note: the "sam" role will satisfy the access mentioned above.

 mandatory: if ServiceNow  source is enabled

 ServiceNow Source ServiceNow Password User Password uses by sRTMS to call ServiceNow API mandatory: if ServiceNow  source is enabled
 ServiceNow Source ServiceNow API Page Size ServiceNow parameter "sysparam_limit".
 Limit the size of the records pull by each API call.
 
 ServiceNow Source Connect ModeThis attribute limits the data pull from ServiceNow
  •  Full
    • Use if data will be analyze outside of ServiceNow
  •  Partial
    • when ServiceNow data are combing with 3rd party sources, those fields are required for device's deduping across sources
  •  Anonym
    • Minimum attributes to perform Logical Vulnerability identification. No deduping are performed across sources

 Table Field FullPartial Anonym 
 cmdb_ci_computer sys_id y y  y 
 cmdb_ci_computer name y y 
 cmdb_ci_computer assigned_to y  
 cmdb_ci_computer ip_address y  
 cmdb_ci_computer mac_address y  
 cmdb_ci_computer last_discovered y y y
 cmdb_ci_computer hardware_status y y y
 cmdb_ci_computer virtual y y y
 cmdb_ci_computer manufacturer y y y
 cmdb_ci_computer model_id y y y
 cmdb_ci_computer model_number y y y
 cmdb_ci_computer serial_number y y 
 cmdb_ci_computer os y y y
 cmdb_ci_computer os_service_pack y y y
 cmdb_ci_computer os_version y y y
 cmdb_ci_computer os_address_width y y y
 cmdb_ci_computer install_date y y y
 cmdb_ci_computer cpu_count y y y
 cmdb_ci_computer cpu_core_thread y y y
 cmdb_ci_computer cpu_core_count y y y
 cmdb_sam_sw_install sys_id y y y
 cmdb_sam_sw_install installed_on y y y
 cmdb_sam_sw_install prod_id y y y
 cmdb_sam_sw_install publisher y y y
 cmdb_sam_sw_install display_name y y y
 cmdb_sam_sw_install version y y y
 cmdb_sam_sw_install install_date y y y

 
 ServiceNow Source Connect Data This attribute limits the scope of devices pull from ServiceNow
  •  All
    • all devices contains in the CMDB will be pull
  •  By Device Name
    • limit the API call by device name
  •  By Device ID
    • limit the API call by device id
  •  Last X Devices
    • limit the API call to the last X updated devices
 
 ServiceNow Source Device List (ID/Name) Type the list of device name or device id to pull.
 Use comma "," as the list separator
 Visible if Connect Data is equal to  "By Device Name" or "By Device ID"
 ServiceNow Source Last X DevicesNumber of devices to pull:
  •  10
  •  50
  •  100
  •  500
  •  1000
  •  5000
  •  10000
 Visible if Connect Data is equal to  "Last X Devices"

AWS Source

servicenow settings aws source

List of Attributes

 Tab Attribute  Description  State
 AWS Source AWS Source if enable: Amazon EC2 Systems Manager will be use as a sRTMS source. 
 sRTMS will connect to AWS and collect inventory information.
 Disable by default
 AWS Source Access Key Access Key to connect to AWS mandatory: if AWS Source is enabled
 AWS Source Secret Access Key Secret Access Key to connect to AWS mandatory: if AWS Source is enabled
 AWS Source Region Region of the SSM data are stored mandatory: if AWS Source is enabled
 AWS Source S3 Staging S3 bucket use to save temporary data mandatory: if AWS Source is enabled
 AWS Source Schema name Schema name of the DB where the SSM data are stored mandatory: if AWS Source is enabled
 AWS Source Device SQL SQL Query used to pull Device Information mandatory: if AWS Source is enabled
 AWS Source Package SQL SQL Query used to pull Package Information mandatory: if AWS Source is enabled

Vulnerabilities

servicenow settings vulnerabilities

List of Attributes

 Tab Attribute  Description State
 Vulnerabilities Severity Critical if enable: Vulnerability with Severity=Critical will be identified Enable by default
 Vulnerabilities Severity High if enable: Vulnerability with Severity=High will be identified  Enable by default
 Vulnerabilities Severity Medium if enable: Vulnerability with Severity=Medium will be identified  
 Vulnerabilities Severity Low if enable: Vulnerability with Severity=Critical will be identified 
 Vulnerabilities Application Vulnerabilities if enable: Application Vulnerability  will be identified Enable by default
 Vulnerabilities Operating System Vulnerabilities if enable: Operating System Vulnerability will be identified 

Options

servicenow settings options

List of Attributes

 Tab Attribute Description State 
 Options Default CPE Version CPE version used in the ProductCVEs, and Vulnerable Software. 
Values:
  •  2.2
  •  2.3
2.2 is the default value used by Vulnerability Response
 
 Options Create Missing Device if enable:
  • Logical Vulnerabilities found in devices not in ServiceNow will be created.
  • Unique Key: name + os_name + serial_number
 
 Options Create Missing Manufacturer  if enable: 
  • "Create Missing Device" should be enabled
  • if the associated Manufacturer is new it will also be created.
 
 Options Create Missing Model   if enable: 
  • "Create Missing Device" & Create Missing Manufacturer" should be enabled
  • if Model are new they will also be created.
 
 Options API Page Size Max=1000
 Number of results return by each sRTMS API call
 
 Options Create Missing NVD if enable:
  • CVE missing in NVD table will be created automatically
 Visible if Module=Security,All
 Options Create Missing CPE  if enable:
  • CPE missing in Vulnerability Software table will be created automatically
 Visible if Module=Security,All
 Options Create Missing Software Discovery Model  if enable:
  • Missing Software Discovery Model will be created automatically
 Visible if Module=Security,All
 Options Create Missing Software Installation if enable:
  • Missing Software Installation will be created automatically
 Visible if Module=Security,All

Scheduler

servicenow settings scheduler


List of Attributes

 Tab Attribute  Description State
 Scheduler Active if enable:
  • sRTMS process will run based on selected schedule
 
 Scheduler Run Values:
  • Daily
  • Weekly
  • Monthly
  • Periodically
  • Once
 
 Scheduler Time Hours + Minutes + Seconds 
 Scheduler Day if Run=weekly, values:
  • Monday
  • Tuesday
  • Wednesday
  • Thursday
  • Friday
  • Saturday
  • Sunday
if Run=Monthly, values: 1-31
 
 Scheduler Period Days + Hours + Minutes + Seconds 
 Scheduler Start Calendar + Time pickup 

Logs

This page records all sRTMS activities. Previous logs are deleted after each successful process.

servicenow logs