Configure ServiceNow for API Data Protection

Configure ServiceNow for API Data Protection

Netskope has now validated support up till ServiceNow Xanadu release.

To configure ServiceNow for API Data Protection, you need to authorize Netskope as a web application client to access your ServiceNow instance.

If you intend to clone your production ServiceNow instance to create a test instance, a few additional back-end configuration changes need to be done. Contact Netskope support before granting access to the cloned instance.

There are three parts to this procedure:

  • Configure ServiceNow API Access

  • Enable ServiceNow Table Permission

  • Configure a ServiceNow Instance in the Netskope UI

Configure ServiceNow API Access

To configure the ServiceNow API endpoint:

  1. Log in to your ServiceNow account as an admin user.

  2. On the left navigation, filter by System OAuth and click Application Registry.

  3. Click New to create a new application registry.

    Servicenownewappreg.jpg
  4. Click Create an OAuth API endpoint for external clients.

    Servicenownewappendpoint.jpg
  5. Enter a name and client secret. The client ID is auto generated. Note down the client secret and ID; you will need these to create the ServiceNow instance in the Netskope UI.

    It is important to note that the client secret should not contain any special characters other than ~!@#$%^&*()_+`-=[]\{}|,./<>?;':".

    You do not have to provide any value for Redirect URL and Logo URL.

    Servicenowclientid
    The default value of the refresh token lifespan is 86,400 seconds (approx. 100 days). After that, the token will not be valid, and data will not be accessible. Netskope recommends to enter a minimum value of 31,536,000 seconds (approx. 1 year) to ensure accessibility. Once the refresh token expires, the app instance in Netskope UI will be shown as inactive. You should re-grant the ServiceNow app instance in the Netskope UI.
  6. When finished, click Submit.

    If there are any records with invalid dates (for example, a future date) in the problem table, ensure that you delete such records. To delete a problem record, read the ServiceNow article. This step is essential so that Netskope receives problem events successfully.

Enable ServiceNow Table Permission

Netskope now supports custom and additional default tables. They are:

  • Basic Configuration Item

  • Catalog Task

  • Change Phase

  • Change Request

  • Change Task

  • Feature Task

  • Group Approval

  • IMAC (Install Move and Change)

  • Incident

  • Incident Task

  • KB Submission

  • Knowledge

  • Problem

  • Problem Task

  • Release Phase

  • Request

  • Request Item

  • Task

  • Ticket

  • Any custom table created by the ServiceNow admin/user

For Netskope to scan through the tables listed above, an additional permission is required for API Data Protection to successfully make API calls to ServiceNow. To enable the permission:

  1. Log in to your ServiceNow account as an admin user.

  2. On the left navigation, search the term System Definition and click Tables.

    Servicenow System Definition Tables
  3. Search sys_db_object table by Name. Click the first row entry that reads sys_db_object.

    Servicenow Sys Db Object Table
  4. Under Application Access, select the Allow access to this table via web services checkbox.

    Servicenow Permissions
    If the can read checkbox is selected by default, you can keep it as is.
  5. Click Update.

  6. Follow the same steps for change_phase, cmdb, incident, kb_knowledge, kb_submission, problem and ua_custom_table_inventory too.

Configure a ServiceNow Instance in the Netskope UI

Make sure you don’t have any ACL/IP ACL, business rules, or data policy constraints before setting up the instance.

The ServiceNow administrator should have access to the following tables and roles:

TableRoleUsage
change_phaseITILAccess records from the Change Phase table.
cmdbITILAccess records from the Base Configuration Item table.
incidentITILAccess records from the Incident table.
kb_knowledgeITILAccess records from the Knowledge table.
kb_submissionITILAccess records from the KB Submission table.
problemITILAccess records from the Problem table.
sys_db_objectITILGet Incident and Problem table records.
ua_custom_table_inventoryITILAccess records from any custom table.

Though the tables above require the ITIL role, it is recommended to give the admin role to all the tables so that API Data Protection can access the delete notifications from ServiceNow.

To authorize Netskope to access your ServiceNow instance:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Classic > SaaS.

  2. Select the ServiceNow icon, and then click Setup Instance.

  3. The Setup Instance window opens. Enter the following details:

    • Enter the name of the ServiceNow account instance.

      If your ServiceNow login URL is https://my_instance.service-now.com/, then enter my_instance as the instance name.
    • (Optional) Select the Enable ServiceNow GCC Support checkbox.

      Enable this checkbox if and only if you have a ServiceNow GovCommunityCloud (GCC) account. ServiceNow GCC compliance is designed for U.S. Federal, State, and local government customers.
    • Instance Type: Select the following check box:

      • API Data Protection: Select this option to allow Netskope to scan through your SaaS app instance to list files, user, and other enterprise data.

      • Security Posture: Select this option to allow Netskope to continuously scan through your SaaS app to identify and remediate risky SaaS app misconfigurations and align security posture with best practices and compliance standards.

        This feature is part of the Netskope SaaS Security Posture Management solution. For additional configuration requirement, read SaaS Security Posture Management.
      • Malware: Select this option to detect malware in files and attachments. For more information to set up malware, see Creating a Threat Protection Policy for API Data Protection.

    • Enter the email address of the ServiceNow administrator.

      • To identify the email address of the ServiceNow administrator account, log in to your ServiceNow account, navigate to User Administration > Users. Click the administrator user and note down the email address.
      • Netskope does not support SAML-based SSO for ServiceNow. The ServiceNow administrator email address must be a local user.
      • API Data Protection can send a notification to the instance administrator if the API token that is used to grant access has expired. Netskope sends an email notification to the instance administrator (instance setup page > admin email field) every 24 hours until the administrator performs a re-grant access. Ensure that the administrator email address is an actual user.
  4. Click Save, then click Grant Access for the app instance you just created. You will be prompted to enter the following details:

    • ServiceNow Admin – Enter the user ID of the ServiceNow administrator.

      To identify the user ID of the ServiceNow administrator account, log in to your ServiceNow account, navigate to User Administration > Users. Click the administrator user and note down the user ID.
    • ServiceNow Password – Enter the password of the ServiceNow administrator.

      It is important to note that the password should not contain any special characters other than ~!@#$%^&*()_+`-=[]\{}|,./<>?;':". If you do have any special characters other than mentioned list, change the ServiceNow administrator’s password to confirm with this requirement.
    • Enter Client ID – Enter the client ID you noted when you configured the ServiceNow API access.

    • Enter Client Secret – Enter the client secret you noted when you configured the ServiceNow API access.

      It is important to note that the client secret should not contain any special characters other than ~!@#$%^&*()_+`-=[]\{}|,./<>?;':".

      Click Grant. When the configuration results page open, click Close.

Refresh your browser and you will see a green check icon next to the instance name.

Share this Doc

Configure ServiceNow for API Data Protection

Or copy link

In this topic ...