ServiceNow with Netskope SecOps

The ServiceNow Netskope SecOps app provides an end-to-end configuration management integration with capabilities to create and update ServiceNow SIR data based on Netskope alerts, plus manage Netskope Applications based on ServiceNow CI data.

Application Features

The main features of the integration include:

• Ability to configure the Netskope Configuration Tile.
• Ability to configure Netskope Profile Configuration.
• Ability to Import URL Lists and URL Category Lists.
• Ability to manage Security Incidents in ServiceNow created/updated based on the import of Netskope alerts.
• Ability to manage Applications and their related data in ServiceNow based on the import of Netskope Apps.
• Ability to schedule a job for Alerts and Applications import from Netskope.
• Ability to track the process of integration runs for Alerts and application import.
• Ability to go to the support page.
• Ability to see the application logs.

Compatibility Matrix

ServiceNow Version: Utah, Vancouver, and Washington

Netskope API Version: v2, v1 (Add to File Hash)

Netskope Platform Version: 3.1.4

Prerequisites

Add Endpoints to a v2 Token

Add these endpoints to a Netskope API v2 token with these read and write permissions.

Endpoint	Permission
/api/v2/events/dataexport/events/alert	Read
/api/v2/policy/urllist/file	Read + Write
/api/v2/policy/urllist/deploy	Read + Write
/api/v2/services/cci/tags	Read + Write
/api/v2/events/dataexport/alerts/uba	Read
/api/v2/events/dataexport/alerts/securityassessment	Read
/api/v2/events/dataexport/alerts/quarantine	Read
/api/v2/events/dataexport/alerts/remediation	Read
/api/v2/events/dataexport/alerts/policy	Read
/api/v2/events/dataexport/alerts/malware	Read
/api/v2/events/dataexport/alerts/malsite	Read
/api/v2/events/dataexport/alerts/compromisedcredential	Read
/api/v2/events/dataexport/alerts/ctep	Read
/api/v2/events/dataexport/alerts/watchlist	Read
/api/v2/atp/scans/filescan	Read + Write
/api/v2/atp/scans/reports	Read
/api/v2/incidents/uba/getuci	Read + Write
/api/v2/services/cci/app	Read
/api/v2/policy/urllist	Read + Write
/api/v2/events/dataexport/events/application	Read

ServiceNow Plugins

These ServiceNow plugins must be activated:

• ServiceNow IntegrationHub Action Step – REST (com.glide.hub.action_step.rest)
• ServiceNow IntegrationHub Runtime (com.glide.hub.integration.runtime)
• Security Incident Response (sn_si)
• Version – 13.1.0

To install these plugins:

1. Log in to your instance with your user credentials.
2. Verify you have the system administrator (admin) role.
3. Go to System Definition > Plugins in your instance.
4. Search for and install the above mentioned plugins.

Permission and Roles

You need to create a user or provide permissions to an existing user for the Netskope SecOps integration.

The ServiceNow system administrator can create these types of users for the Netskope SecOps Integration.

User	Role	Permission	Description
System Administrator	admin	Installations of the integration application plugins User Creation Application Log	The user of this role will be the admin of the ServiceNow Instance.
SecOps Admin	sn_si.admin	Tile Configuration Observable Enrichment Threat Lookup	The user of this role will be the admin of the Security Incident Response.
App Admin	x_netsk_nets_sir.netskope_admin	Data Ingestion Profile Configuration (Write) Expiration time (Write) CI Lookup Rules (Write) Severity and Status mapping (Write) Sandbox Report Requests (Write) URL Category (Write) Add to URL List (Write) Process Monitor (Read) Scheduled Jobs (Write) Application (Write) Add Tags (Write) Users (Write) Alerts Ingestion (Write)	The user of this role will be the admin of the Netskope SecOps integration.
SecOps Analyst	sn_si.analyst	Observable Enrichment Threat Lookup	The user of this role will be the analyst of the Security Incident Response.
User	x_netsk_nets_sir.netskope_user	Data Ingestion Profile Configuration (Read) Sandbox Report Requests (Write) CI Lookup Rules (Read) URL Category (Read) Add to URL List (Write) Application (Read) Add Tags (Write) Users (Read) Data Ingestion (Read) Severity and Status mapping (Read) Process Monitor (Read) Alerts Ingestion (Write)	The user of this role will be the user of the Netskope SecOps integration.

Click play to watch a video.

Workflow

1. Download and install the Netskope SecOps application from the ServiceNow store.
2. Configure Netskope SecOps.
3. Configure use case options.

Download and Install the Netskope SecOps Application

Users with the System administrator (admin) role can install the application from the ServiceNow store.

1. Go to https://store.servicenow.com
2. Search for Netskope SecOps Integration in the search tab.
3. Click on Netskope SecOps Integration.
4. Click Get and enter the HI credentials of your instance.
5. After it is added successfully, open the instance by going to Applications > All Available Applications > All.
   
6. Find the application using the filter criteria and search bar.
7. Beside to the application listing, click Install.

Activate Schedulers

1. Go to the sysauto_script.list table.
2. Filter with Application for the Netskope SecOps Integration.
3. Make all schedulers of the application active = true.
   
4. Save your changes.

Configure Netskope SecOps

Create Users

The ServiceNow platform admin creates the various Netskope users.

Username (for example)	Role to be Assigned
Application Admin	sn_si.admin, x_netsk_nets_sir.netskope_admin, personalize_dictionary
Application User	sn_si.analyst, x_netsk_nets_sir.netskope_user, personalize_dictionary

Here is an example of how to create a Netskope user and assign a role to it.
Role Required: System Administrator (admin)
Procedure:

1. Go to Organization > Users.
2. Click the Users module.
3. On the Users list that is displayed, click New. A new user form is displayed.
4. Fill in the form.
   The values for User ID and Title shown in the following table are example values.
   

   Field	Description
   User ID	Unique User ID for the role in your ServiceNow Platform instance. An example is netskope_admin.
   First Name	Person you are assigning
   Last Name	Person you are assigning
   Title	Job Title. For example, Netskope admin
   Password	The unique password created for this role
   Email	Unique email address

5. Click Submit. After being submitted, you can assign the role.
6. On the Users list in the User ID column, click on the name of the new user you created. For example: netskope_admin.
7. After the record is open, the Set password UI is visible in the form view of the record.
8. Click Set Password.
9. A popup will open. Click Generate, which generates a unique password for the created user that needs to be changed on the first log-in.
10. Copy the generated password and close the popup.
11. On the Users list in the User ID column, click on the name of the new user you created. For example: netskope_admin.
12. After the record opens, go to the Roles section and click Edit.
13. On the Edit Members form, enter sn_si.admin in the Collection field.
14. In the Collection column, select sn_si.admin and move it to the Roles List.
15. Click Save.

Netskope Integration Tile Configuration

This section describes how to create the configuration that is used to connect the Netskope platform with ServiceNow.

Role Required: sn_si.admin

Procedure:

1. Log in to the ServiceNow instance.
2. Go to Security Operations > Integrations > Integration Configurations.
3. Click Configure on the Netskope SecOps Integration tile shown in the list view.
4. Insert a Name, the Base URL, and V2 API token (V1 API token is optional).
5. Click Submit to authenticate.

Use Cases

Log Ingestion Profile Configurations

Role Required: sn_si.admin, x_netsk_nets_sir.netskope_admin, personalize_dictionary
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > Profile Configuration.
3. Click New in the list view.
4. Enter a Name, Source, Order, and Description.
5. Click Next to save the configuration and proceed to the next tab.

On the Alert Filtering tab, select the type of Alerts that are required to be ingested.

Click Next to go to the Field Mapping tab.

Provide custom mappings for the alerts fields to their desired Security Incident fields on the Field Mapping tab.

Click Next to move to the Security Incident Creation tab.

On the Security Incident tab, select the criteria for which you want a Security Incident to be created, and whom to assign.

Click Next to save the mappings and move to the Scheduling tab.

On the Scheduling tab, select the one time data collection or recurring data collection, and you can also specify additional parameters, such as Start Time and Interval, based on the choices you make.

Click Finish to save the Netskope Profile Configuration.

Imported Alerts

You can view all the alerts that have been imported from the Netskope platform. A list of all the imported alerts and their details is available to users.
Role Required: x_netsk_nets_sir.netskope_admin or x_netsk_nets_sir.netskope_user
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > Alerts.
3. Click on any imported alert record.
4. You can view all the fetched details of a selected alert in read-only mode.
   

Imported Applications

You can view all the applications that have been imported from the Netskope platform. A list of all applications with their details is available to users. Additionally, you can also find the imported applications in the cmdb_ci_appl table in ServiceNow.
Role Required: x_netsk_nets_sir.netskope_admin or x_netsk_nets_sir.netskope_user
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > Applications.
3. Click on any application record.
4. You can view all the fetched details of the selected application in read-only mode.
   

Imported Users

You can view all the Users that have been imported from the Netskope platform. A list of all users with their details is available to users.
Role Required: x_netsk_nets_sir.netskope_admin or x_netsk_nets_sir.netskope_user
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > Users.
3. Click on any user record.
4. You can view all the fetched details of the selected Users in read-only mode.
   

Observable Enrichment

You can enrich information about observables using the Observable Enrichment capability.
Roles Required: sn_si.admin or sn_si.analyst
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Security Incidents.
3. Click on the required security incident record.
4. Locate the Associated Observable related list.
5. If the related list is not visible. click Show All Related Lists.
   
6. Select the URL Observable type and click on the Actions on selected rows dropdown.
   
7. Select Run Observable Enrichment.
   
   After the observable enrichment runs successfully, you will find the results in the Observable table (sn_ti_observable).
8. You can also run the observable enrichment from the direct Observable table by following steps 4 and 5.

CI Lookup Rules

You can create multiple rules and based on the Order, which does the lookup into the CMDB tables and will attach the CI records in the Security tables, based on the lookup configured in the CI Lookup rules.
Note: If the table selected in the CI Lookup rule does not have a configuration item, then the Security incident will not have a CI association and remain blank.
Roles Required: x_netsk_nets_sir.netskope_admin (Write) and x_netsk_nets_sir.netskope_user (Read)
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > CI Lookup Rules.
   
3. Click New to create a new rule.
   
4. Enter a Name and Source, and select a value in the destination fields Search on CI table and Search on CI field.
5. Click Submit.

Now run the scheduler, and after the job is completed, the Security Incident has a record linked in the Configuration Item field.

Sandbox Report Request

You can request Sandbox report analysis for files with extension .exe.
Roles Required: x_netsk_nets_sir.netskope_admin (Write) and x_netsk_nets_sir.netskope_user (Read).
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > Sandbox Report Requests.
   
3. Create a new Sandbox Report Request record.
   
4. Select the profile to use to create a Sandbox request, attach the .exe file with the record, and click Submit.
   

After the request has been submitted, the Sandbox report analysis will be available to download from the same record from the attachment.

Threat Lookup

You can get more details about the applications using the Threat Lookup capability.
Roles Required: sn_si.admin or sn_si.analyst
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Security Incidents.
3. Click on a security incident record.
4. Locate the Associated Observable related list.
   
5. If the related list is not visible, click Show All Related Lists
6. To run threat lookup for an Application, create an observable type unknown and Observable name as application name. Select this observable to Run Threat Lookup.
   
7. After the Threat Lookup runs successfully, you will see the results in the Threat Lookup Results table (sn_ti_lookup_result).
8. You can also run the threat lookup from the direct Observable table by following steps 4 and 5.

Add to URL Category

You can add observables of type URL/IP/domain to a category list in Netskope.
Roles Required: sn_si.admin or sn_si.analyst
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Security Incidents.
3. Click on a security incident record.
4. Locate the Associated Observable related list.
5. If the related list is not visible, click Show All Related Lists.
   
6. The List of Observable will be displayed. If the Observable type is URL, Domain, or IP, then you can perform the action Add to URL Category.
   
7. Click on an Observable record. On top of the form, click Add to URL Category.
   
8. Fill the required fields and click Submit.
   
9. After you click Submit, a change request will be created. When the approver approves the change request, then the URL will be added to URL Category on Netskope.

Note: The action can also be performed from the list of the Observable (sn_ti_observale) table.

Remove from URL Category

Users can remove observables of type URL/IP/domain from a category list in Netskope.
Roles Required: sn_si.admin or sn_si.analyst
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Security Incidents.
3. Click on a security incident record.
4. Locate the Associated Observable related list.
5. If the related list is not visible, click Show All Related Lists.
   
6. A List of Observables will be displayed, If the Observable type is URL, Domain, or IP, then you can perform the action Remove from URL Category.
   
7. Click on an Observable record. On top of the form, click Remove from URL Category.
8. Fill the required fields and click Submit.
   
9. After you click Submit, a change request will be created. When the approver approves the change request, then the URL will be removed from URL Category on Netskope.
   

Add to a File Hash

You can add observables of type URL to a category list in Netskope.
Roles Required: sn_si.admin or sn_si.analyst
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Security Incidents.
3. Click on a security incident record.
4. Locate the Associated Observable related list.
   
5. If the related list is not visible, click Show All Related Lists.
   
6. A List of Observables will be displayed, If the Observable is of type MD5 & SHA256, then you can perform the Add File Hash action.
7. Click on an Observable record.
   
8. On Top of the form, click Add File Hash.
9. Fill the required fields and click Submit.
   

Note: The action can also be performed from the list of the Observable (sn_ti_observale) table.

Add/Remove Tags

You can add or remove tags from applications on Netskope.
Roles Required: x_netsk_nets_sir.netskope_admin or x_netsk_nets_sir.netskope_user
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > Applications.
3. Open an application record.
   
4. Click New to add new tags.
   
5. Provide a name of the tag and click Submit.
6. To remove a tag, select the tag, click Action on the selected rows dropdown, and select Delete.
   

Expiration Time Support

You can set an expiration time for URLs that are added into a category list. After the expiration time is exceeded, the URL will be removed from that category list.
Required Roles: x_netsk_nets_sir.netskope_admin (Write) and x_netsk_nets_sir.netskope_user (Read)
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > URL Category List.
   
3. Select a category.
   
4. If URLs exist for that category, URL Lists related lists will be visible.
   
5. Select the URL to add the expiration time.
6. Add an expiration time for that URL. The URL will be removed after the expiration time exceeds the current time.

Process Monitor

The application provides a Process Monitor module for reviewing high-level metrics from past runs of the feature. This module will populate the list of all the processes with Scheduled job names to users. The form view of the process monitor will contain the descriptive logs and reason for the process failure.
Role Required: sn_si.analyst, sn_si.admin
Procedure:

1. Log in to the ServiceNow instance.
2. Go to Netskope for Security Operations > Process Monitor.
3. Open the top record to monitor the ongoing process.
4. Different statuses are used to track the process.
   • Initiated: Whenever the job is initiated the status for that process should be initiated when the queue is in queue.
   • In Progress: Whenever the job is in progress that means the queue is getting processed for that job then the status should be in progress.
   • Failed: Whenever the job fails due to any failure in API Call, or a selected configuration is deleted, then the status should be failed.
   • Completed: Whenever the job is completed successfully, then the status should be completed.
   • Completed with Error: Whenever the job is completed, but all queues are not processed successfully (combination of failed and processed queues), then the status should be completed with error.

Uninstallation

This section describes how to uninstall the Netskope SecOps Integration application from a ServiceNow instance.
Role Required: System Administrator (admin)
Procedure:

1. Go to System Applications > All Available Applications > All.
   
2. Enable the Check the Installed checkbox. A list of applications installed in the instance is displayed.
3. Locate the Netskope SecOps Integration, select it, and then click Uninstall.
4. The application will be uninstalled from your instance.

Support, Troubleshooting, and Known Limitations

Support

Customers are instructed to contact the integration provider Netskope for technical support. If a customer first contacts ServiceNow Customer Support, then ServiceNow Customer Support will isolate the problem and instruct the customer to resolve the issue with your organization.

Support Contact Details: https://www.netskope.com/training#support

Troubleshooting

Application Logs

From the logs window, the ServiceNow system administrator or the Netskope ServiceNow Security App admin can configure and view all the Netskope ServiceNow Security App logs. The Netskope SecOps Integration displays four types of logs:

• ERROR: An error represents serious issues and the failure of an operation in the Netskope SecOps Integration.
• WARN: The warning logs represent the unusual situation in the Netskope SecOps Integration.
• INFO: The info log represents the informational messages that highlight the progress of the Netskope SecOps Integration.
• DEBUG: The debug logs provide details about the application’s behavior.

Role Required: System Administrator (admin)
Procedure:

1. You should check the application logs whenever a user experiences any errors.
2. Go to Netskope SecOps Integration > Diagnostics.
3. Open Application Logs.

Enable Outbound HTTP Logs

Outbound REST functionality enables you to retrieve, create, update, or delete data on a web services server that supports the REST architecture. You can send a REST message by a REST workflow activity or by using the RESTMessageV2 script API.

Prerequisites:
You must be the ServiceNow system administrator.
Procedure:

1. Log in to ServiceNow.
2. In the navigation filter, enter sys_properties.list.
3. Search and set these system properties:
   • glide.outbound_http_log.override.level = all
   • glide.outbound_http.content.max_limit = 1000
   • glide.outbound_http_log.override = true
4. Go to the HTTP Outbound Requests module under System logs.
5. Sort all records by Created Date in descending order.
6. You will be able to see the API calls made for the application.

FAQs

Unable to install an application from the ServiceNow Store

1. Verify you have the system administrator (admin) role.
2. Go to System Applications > All Available Applications > All.
3. Verify the application appears under the Installed Tab.

Unable to create a new user

Review the following link and execute the steps: User Administration

The report Generation process fails after some time.

1. Go to the System Property module of the application.
2. Increase the value of the retry count or retry interval system property and try again.

I am not able to see the Execute Now button in the scheduled job.

1. Submitting the configuration in the first place for the scheduled job is mandatory to avoid misconfiguration.
2. After the scheduled job is configured, open the same configuration and you should be able to see the Execute Now button.

I can select past time in the scheduled job once or periodically.

1. In the scheduled job, if you are selecting a past time, it will directly consider the current time when you submit or update the configuration.
2. There can be a case where the user has selected a future time, and spent some time on the same page before submitting the configuration, and still be able to submit the configuration. To avoid such a scenario, a past date will always be changed to the current time of configuration submission.

I can see multiple running jobs in the process monitor though I have executed only one time.

1. When you modify any scheduled job, the starting time for that scheduled job will be considered as the current time and that will trigger the job at the specified starting time.
2. At the same time, if you click the Execute Now button, this triggers the job, which can lead to multiple jobs running concurrently.
3. If your scheduled job is scheduled for once, and you are modifying any fields, then click only on the Update button and that will trigger your job as per the starting time (which will be set to the current time after clicking on the Update button).

The scheduled job is taking some time to reflect on the process monitor.

1. The backend scheduler will check the eligible scheduler that needs to be executed every 18 seconds.
2. After the backend scheduler is executed, all the eligible queued scheduled jobs will be picked for execution, and the Process Monitor will reflect the same time.

Processes are not getting completed though configurations are correct.

1. As part of the prerequisites, it is necessary to mark all the schedulers of the application available in the sysauto_script.list table as active=true.
2. To mark them as active, ask your system administrator to perform these steps:
   1. Go to the sysauto_script.list table.
   2. Add a filter of Application.
   3. Open the form view of each record and mark them as active=true.