Skip to main content

Netskope Help

ServiceNow Plugin for Ticket Orchestrator

This document explains how to configure your ServiceNow integration with the Ticket Orchestrator module of the Netskope Cloud Exchange platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances)

  • A Netskope Cloud Exchange tenant with the Ticket Orchestrator module already configured.

  • A ServiceNow account.

  • Permissions needed for the plugin are itil or sn_incident_write, sn_incident_read, Personalize_read_dictionary, and sn_si.admin.

  • Connectivity to the following hosts: https://ven02206.service-now.com/ and https://ven02207.service-now.com/

Performance Matrix

Stack Size

Medium

RAM

16GB

Number of Core

8

Tickets Created Per Minute

~60

Permissions
  • Roles required when Incidents is configured in the Destination Table parameter:

    • itil or sn_incident_write, sn_incident_read

    • personalize_read_dictionary

  • Role required when Security Incidents is configured in the Destination Table parameter:

    • Sn_si.admin

API Details

The plugin uses the ServiceNow Table API to create tasks, get available fields, and get queues from ServiceNow.

Refer to the official documentation for more information on the Table API.

https://developer.servicenow.com/dev.do#!/reference/api/rome/rest/c_TableAPI

API details

Method

Endpoint

Validate authentication

GET

/api/now/table/incident

Get the list of ServiceNow groups as queues.

GET

/api/now/table/sys_user_group

Get the list of all the available fields.

GET

/api/now/table/sys_dictionary

Create a task in the security incident table

POST

/api/now/table/sn_si_incident

Create a task in the incident table

POST

/api/now/table/incident

Update task in incident table

PATCH

/api/now/table/incident

Update task in security incident table

PATCH

/api/now/table/sn_si_incident

Sync states of tasks

GET

/api/now/table/task

Workflow
  1. Confirm your ServiceNow roles.

  2. Configure the ServiceNow plugin.

  3. Configure Ticket Orchestrator Business Rules for ServiceNow.

  4. Configure Ticket Orchestrator Queues for ServiceNow.

  5. Validate the ServiceNow Plugin.

Click play to watch a video.

 

You must have a ServiceNow instance with a valid username and password in order to use ServiceNow plugin. Your account should have following roles:

  • itil, sn_incident_write, or admin (For Incident)

  • sn_si.admin (For Security Incident)

When deciding which role to use for entitling the ServiceNow TIcket Orchestrator plugin, the sn_si.admin role is NOT mandatory. If you don't have sn_si available, configure TIcket Orchestrator to use the default incidents table and not security incidents.

  1. In Cloud Exchange, go to Settings > Plugins.

  2. Search for and select the ServiceNow v1.1.0 (CTO) plugin box to open the plugin creation page (make sure your Ticket Orchestrator module is enabled. If not, go to Settings > General and enable the Ticket Orchestrator module).

  3. Enter a Configuration Name.

  4. Adjust the Sync Interval to appropriate value: Suggested time is 5+ minutes.

    image1.png
  5. Click Next.

    image2.png
  6. Enter your ServiceNow instance URL. It will be in the following format: https://<your-domain>.service-now.com.

  7. Enter your username and password.

  8. Click Next.

  9. Select the configuration parameter from the following fields.

    • Destination Table: Name of the table where incidents will be created.

      • Security Incidents

      • Incidents

    • Use Default Mappings: Select 'Yes' for the No Queue option (No Queue uses default mappings for queue and does not require elevated access) on the Queue configuration page, otherwise select 'No'.

      • Yes: below default mapping will be used for the No Queue option.

      • No: users can create custom mappings.

    image11.png

    Field

    Custom Message

    Short description

    “Netskope $appCategory alert: $alertName”

    Description

    “Alert ID: $id\n

    App: $app\n

    Alert Name: $alertName\n"

    "Alert Type: $alertType\n

    App Category: $appCategory\n

    User: $user”

  10. Click Save.

    image4.png
  1. Go to Ticket Orchestrator and click Business Rules.

    image5.png
  2. Click Create new rule.

  3. Enter the appropriate Rule Name in the text box and build the appropriate filter query condition on field(s) for the business rule. You can also type the query manually by clicking Filter Query.

    image6.png
  4. Click Save.

    image7.png
  5. To test the newly created business rule, click on the refresh icon image11.png and enter the time period (in days). Click Fetch to see the number of alerts that are eligible for incident/ticket creation.

  1. Go to Ticket Orchestrator and click Queues.

    image13.png
  2. Click Add Queue Configuration.

    image14.png
  3. Select the previously created Business Rule from the dropdown.

  4. Select the plugin Configuration from the dropdown for which the queue is being configured.

  5. Select the Queues from the dropdown. This will list the groups available on the configured ServiceNow instance. The issues/tickets will be assigned to the selected group.

  6. Add/Map appropriate values between alerts and incidents under the Map Field section. Alert’s attributes can be accessed via “$” in the custom message field. Click on the Add button to add more field mappings.

  7. Click Save.

    image15.png
  8. Based on the business rule(s), ServiceNow issues/tickets for incoming alerts will be created automatically. To create ServiceNow issues/tickets for historical alerts, click the refresh image11.png icon for the configured queue, enter the time period (in days), and then click Fetch. This shows the number of alerts which are eligible for issues/ticktes creation. Click Sync to create ServiceNow issues/tickets for those alerts.

    image16.png

In order to validate the workflow, you must have Netskope Alerts.

  1. Go to Ticket Orchestrator and click Alerts.

    image17.png
  2. To view the list of tickets created on ServiceNow, go to Tickets.

    image18.png
  3. To validate in ServiceNow, click on the External Link of any ticket to directly go to the newly created ServiceNow issue/incident.

    image19.png
  4. If issues/tickets are not being created on ServiceNow, you can look at the audit logs in Cloud Exchange. In Cloud Exchange, click Logging and look through the logs for errors.

    TO-Logs.png