Configure ServiceNow for CloudGuard Dome9 findings
This note describes the integration between Dome9 and ServiceNow, to send Dome9 compliance findings to ServiceNow, and create actionable incidents that can be managed on ServiceNow.
The integration uses a purpose-built app in the ServiceNow store (here).
Key features of this integration
- Create fully-actionable ServiceNow incidents from CloudGuard Dome9 compliance findings
- Automate the life cycle of an incident
- Send Acknowledgment and Exclusion requests back to CloudGuard Dome9 for selected findings
- Click-thru links to entity details on the Dome9 UI
- Install the ServiceNow Dome9 application in your ServiceNow instance (detailed steps in the Installation Guide, on in the ServiceNow store).
- Configure users and roles on your ServiceNow instance.
- Configure a Dome9 Compliance Notification Policy to forward compliance findings to ServiceNow (using a webhook URL linked to the the app)
- Configure Dome9 Compliance Rulesets and Compliance Policies to use this Notification Policy, to send findings to ServiceNow.
Once you have configured the Dome9 app in ServiceNow, and the Compliance Policy in Dome9, findings for the policy will be forwarded the ServiceNow, and appear as incidents there.
View findings in ServiceNow
Search for the Dome9 application from the ServiceNow dashboard (enter 'Dome9' in the search box).
The first view is the Dome9 app dashboard, which shows a summary of Dome9 incidents over time, a breakdown of incidents by severity, status, and platform, and a number of Top 10 charts showing leading accounts for incidents, leading entities, rules, etc.
Select Compliance Incidents, in the Navigation menu on the left, to see a list of Dome9 findings that have been send to ServiceNow.
You can perform these actions, amongst others, on this view:
- filter or sort according to any of the columns, or using the filter menu (three bars in upper left)
- click on a record (finding) to show details for it
- select records with the select box on the left, to perform bulk operations
- create (and save) complex queries to search or filter for specific findings, according to keywords, dates, activity, and other fields
You can see details for individual findings:
The upper part shows details for the incident in ServiceNow, including the state.
The lower part shows details of the underlying Dome9 finding. The Dome9 Alert Attributes tab shows more detail for the finding, including the cloud account, region, entity, and ruleset.
You can perform these actions, amongst others, from this view:
- update the information (in ServiceNow)
- delete the incident from ServiceNow (the finding is not deleted from Dome9)
- acknowledge the finding on Dome9 (this marks it as 'acknowledged', a searchable/filteralbe attribute on Dome9)
- create an exclusion for this, and similar, findings on Dome9
- mark the indicent as resolved on ServiceNow (findings are not marked as resolved or closed on Dome9; when the underlying cause of the finding is corrected, the finding will be cleared when the next assessment run on the account does not find the issue).
- click-thru to see the original finding on Dome9 (in the Alert ID field), or detail for the entity (Entity Type field).
Dome9 Notification Policies
Dome9 Continuous Compliance Policies
CloudGuard Dome9 as a ServiceNow Provider (video)