Configure ServiceNow for the Next Generation API Data Protection

Configure ServiceNow for the Next Generation API Data Protection

To configure ServiceNow for the Next Generation API Data Protection, follow the instructions below.

Prerequisite

Before configuring ServiceNow for the Next Generation API Data Protection, review the prerequisites.

  • A ServiceNow account running a minimum version of San Diego.

  • An admin user who has write permission to the Application Registry table.

Netskope also recommends creating a dedicated user and role for better quota and access control, which requires write permission to both the user and user role. However, this is optional.

Configure ServiceNow API Access

In this procedure, you’ll create a new application in your ServiceNow account that enables Netskope to securely access the necessary data through the API.

  1. Log in to your ServiceNow account as an admin user.

  2. Navigate to All > System OAuth > Application Registry and click New.

  3. Click Create an OAuth API endpoint for external clients.

  4. In the new form, enter the following details:

    • Name: An identifiable name, e.g. Netskope Next-Gen CASB

    • Client Secret: Generate a secure secret which contains no special characters other than ~!@#$%^&*()_+`-=[]\{}|,./<>?;':".

    • Redirect URL: https://nso.goskope.com/common/oauthorize

    • Refresh Token Lifespan: 31,536,000

      The default value of the refresh token lifespan is 86,400 seconds (approx. 100 days). After that, the token will not be valid, and data will not be accessible. Netskope recommends to enter a minimum value of 31,536,000 seconds (approx. 1 year) to ensure accessibility. Once the refresh token expires, the app instance in Netskope UI will be shown as inactive. You should re-grant the ServiceNow app instance in the Netskope UI.
      One way to prevent refresh token from ever expiring is to create a Business Rule to update the Token record expiry in the Manage Token (oauth_credential) table. See community post here.

      Keep the rest of the fields unchanged.

  5. Note down the client ID and secret; you will need these to create the ServiceNow instance in the Netskope UI.

  6. When finished, click Submit.

Create a Dedicated User for Netskope

While this step is optional, Netskope strongly recommends to create or use a dedicated user and role for the Next Generation API Data Protection integration. A dedicated user can help improve access control and assist in managing the Netskope app’s API request quota. If you already have a dedicated user and role set up for Netskope, you can skip the following procedure.

  1. Navigate to All > Organization > Users and click New.

  2. In the new form, enter the necessary user details and click Submit.

  3. Navigate to All > User Administration > User Roles and click New.

  4. Grant the user you created with the admin role admin, or a dedicated role with the read permission to the below mentioned tables.

Enable ServiceNow Table Permission

If you authenticate using a user with the admin role, you can skip this step. Typically, the admin role has read access to all default and custom tables that Netskope monitors. However, Netskope recommends reviewing these tables to ensure the appropriate level of access is configured.

Netskope now supports out-of-the-box (core) and custom tables. They are:

  1. Basic Configuration Item

  2. Catalog Task

  3. Change Phase

  4. Change Request

  5. Change Task

  6. Feature Task

  7. Group Approval

  8. IMAC (Install Move and Change)

  9. Incident

  10. Incident Task

  11. KB Submission

  12. Knowledge

  13. Problem

  14. Problem Task

  15. Release Phase

  16. Request

  17. Request Item

  18. Task

  19. Ticket

  20. Any custom table

For Netskope to scan through the tables listed above, an additional permission is required for API Data Protection to successfully make API calls to ServiceNow. Repeat the following steps for each table above.

  1. Log in to your ServiceNow account as an admin user.

  2. On the left navigation, search the term System Definition and click Tables.

  3. Search each table by either Label or Name. Click on the desired table.

  4. Under Application Access, select the Allow access to this table via web services and the can read checkbox.

  5. Click Update.

  6. Ensure that the dedicated user mentioned earlier has read permission for the all the out-of-the-box and custom tables. For more details, refer to the ACL documentation.

Set Access Permission for System Tables

There are a few more system tables that are necessary for Netskope to scan and successfully make API calls to ServiceNow. Follow the same procedure as above for the following system tables too.

TableUsage
sys_db_objectAccess records from the Tables table.
ua_custom_table_inventoryAccess records from the Custom Tables table.
sys_userAccess records from the Custom Tables table.
sys_attachmentAccess records from the Attachment metadata table. This is necessary for attachment content monitoring.
sys_attachment_docAccess records from the Attachment content table. This is necessary for attachment content monitoring.

Configure Netskope to Access your ServiceNow Account

To authorize Netskope to access your ServiceNow instance, follow the steps below:

  1. Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.

  2. Under Apps, select ServiceNow and click Setup CASB API Instance.

    The Setup Instance window opens.

  3. Enter the following details:

    • Enter the Client ID and secret from the Configure ServiceNow API Access.

    • Enter the site domain of the ServiceNow account instance.

      If your ServiceNow login URL is https://my_instance.service-now.com/, then enter my_instance.service-now.com as the domain name.
    • Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.

  4. Click Grant Access. You will be prompted to log in using your admin username and password that you created in an earlier procedure, and then click Sign In. When the configuration results page opens, click Close.

Refresh your browser and you will see a green check icon next to the instance name.

Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your ServiceNow account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.

Share this Doc

Configure ServiceNow for the Next Generation API Data Protection

Or copy link

In this topic ...