ServiceNow connector and actionedit

The ServiceNow SecOps connector uses the V2 Table API to create ServiceNow security incidents.

Connector configurationedit

ServiceNow SecOps connectors have the following configuration properties.

The name of the connector. The name is used to identify a connector in the Stack Management UI connector listing, and in the connector list when configuring an action.
ServiceNow instance URL.
Username for HTTP Basic authentication.
Password for HTTP Basic authentication.

The ServiceNow user requires at minimum read, create, and update access to the Security Incident table and read access to the sys_choice. If you don’t provide access to sys_choice, then the choices will not render.

Connector networking configurationedit

Use the Action configuration settings to customize connector networking configurations, such as proxies, certificates, or TLS settings. You can set configurations that apply to all your connectors or use xpack.actions.customHostSettings to set per-host configurations.

Preconfigured connector typeedit

   name: preconfigured-servicenow-connector-type
   actionTypeId: .servicenow-sir
     usesTableApi: false
     username: testuser
     password: passwordkeystorevalue

Config defines information for the connector type.

An address that corresponds to URL.
A boolean that indicates if the connector uses the Table API or the Import Set API.

Note: If usesTableApi is set to false the Elastic application should be installed in ServiceNow.

Secrets defines sensitive information for the connector type.

A string that corresponds to Username.
A string that corresponds to Password. Should be stored in the Kibana keystore.

Define connector in Stack Managementedit

Define ServiceNow SecOps connector properties.

ServiceNow SecOps connector

Test ServiceNow SecOps action parameters.

ServiceNow SecOps params test

Action configurationedit

ServiceNow SecOps actions have the following configuration properties.

Short description
A short description for the incident, used for searching the contents of the knowledge base.
The priority of the incident.
The category of the incident.
The subcategory of the incident.
Correlation ID
All actions sharing this ID will be associated with the same ServiceNow security incident. If an incident exists in ServiceNow with the same correlation ID the security incident will be updated. Default value: <rule ID>:<alert instance ID>.
Correlation Display
A descriptive label of the alert for correlation purposes in ServiceNow.
The details about the incident.
Additional comments
Additional information for the client, such as how to troubleshoot the issue.

Configure ServiceNow SecOpsedit

ServiceNow offers free Personal Developer Instances, which you can use to test incidents.