This article describes the integration between CloudGuard Dome9 and ServiceNow, to send CloudGuard Native compliance findings to ServiceNow, and create actionable incidents that can be managed on ServiceNow.
The integration uses a purpose-built app in the ServiceNow store.
- Create fully-actionable ServiceNow incidents from CloudGuard Dome9 compliance findings
- Automate the life cycle of an incident
- Send Acknowledgment and Exclusion requests back to CloudGuard Dome9 for selected findings
- Click-thru links to entity details on the CloudGuard Dome9 portal
Installation and Configuration
- Install the ServiceNow CloudGuard Dome9 application in your ServiceNow instance (detailed steps in the Installation Guide, on in the ServiceNow store).
- Configure users and roles on your ServiceNow instance.
- Configure a CloudGuard Dome9 Notification to forward compliance findings to ServiceNow, using a webhook URL linked to the the app
- Configure CloudGuard Dome9 Rulesets and Policies to use this Notification, to send findings to ServiceNow.
Once you have configured the Dome9 app in ServiceNow and the Policy in CloudGuard Dome9, findings for the policy are forwarded the ServiceNow and appear as incidents there.
Viewing Findings in ServiceNow
Search for the CloudGuard Dome9 application from the ServiceNow dashboard (enter 'CloudGuard' in the search box).
The first view is the CloudGuard Dome9 app dashboard, which shows a summary of CloudGuard Dome9 incidents over time, a breakdown of incidents by severity, status, and platform, and a number of Top 10 charts showing leading accounts for incidents, leading entities, rules, etc.
Select Compliance Incidents, in the Navigation menu on the left, to see a list of CloudGuard Dome9 findings sent to ServiceNow.
You can perform these actions on this view:
- filter or sort according to any of the columns, or using the filter menu (three bars in upper left)
- click on a record (finding) to show details for it
- select records with the select box on the left, to perform bulk operations
- create (and save) complex queries to search or filter for specific findings, according to keywords, dates, activity, and other fields
You can see details for individual findings:
The upper part shows details for the incident in ServiceNow, including the state.
The lower part shows details of the underlying Dome9 finding. The Dome9 Alert Attributes tab shows more detail for the finding, including the cloud account, region, entity, and ruleset.
You can perform these actions, amongst others, from this view:
- update the information (in ServiceNow)
- delete the incident from ServiceNow (the finding is not deleted from Dome9)
- acknowledge the finding on CloudGuard Dome9 (this marks it as 'acknowledged', a searchable/filteralbe attribute on CloudGuard Dome9)
- create an exclusion for this, and similar, findings on Dome9
- mark the incident as resolved on ServiceNow (findings are not marked as resolved or closed on CloudGuard Dome9; when the underlying cause of the finding is corrected, the finding will be cleared when the next assessment run on the account does not find the issue).
- click-thru to see the original finding on CloudGuard Dome9 (in the Alert ID field), or detail for the entity (Entity Type field).
CloudGuard Dome9 as a ServiceNow Provider (video)