ServiceNow Integration
ThreatLocker can be directly integrated with the ServiceNow 'Incidents' table for ticketing.
Setting Up the ServiceNow Integration - ServiceNow Portal
If you do not already have an OAuth API set up in ServiceNow to accept information from external clients, set this up prior to completing the integration settings within the ThreatLocker portal.
In ServiceNow, navigate to System OAuth > Application Registry.
Select the 'New' button in the top right corner.
Select the top option, 'Create an OAuth API endpoint for external clients.
- Provide a name for the OAuth application. In our example, we used ThreatLocker SNOW.
- The Client ID will be prepopulated.
- The Client Secret can either be set by you, or you can leave it blank to be automatically generated by ServiceNow. (If allowing ServiceNow to set the Client Secret, after saving you will need to open the application again and select the 'Lock' icon to view the Client Secret.)
- Be sure to click' Submit' to save the OAuth application.
At a minimum, these are the only items that need to be saved to create an OAuth application in ServiceNow that will accept an integration with ThreatLocker.
Setting Up the ServiceNow Integration - ThreatLocker Portal
In the ThreatLocker portal, navigate to the Integrations page.
Search for ServiceNow.
Once selected, the sidebar will open.
- Provide a description/name for the integration. This is the name of the OAuth app displayed in ServiceNow in the Application Registry. The example below is named ThreatLocker SNOW.
- Instance Url - This is your organization's ServiceNow Url. -must be input without a \ at the end. For example, https://myinstance.service-now.com
- Client ID - This is the Client ID displayed for the specified OAuth app in ServiceNow.
- Client Secret- This is the Client Secret displayed for the specified OAuth App in ServiceNow.
- Username - This is the username used to log into ServiceNow.
- Password - This is the password used to log into ServiceNow.
Once you click 'Add,' the Client Secret and Password will be hidden from view. The Ticket Settings and Custom Mapping tabs will populate.
Ticket Settings
The Ticket Settings tab contains options for labeling directly from ServiceNow.
- Type - This is the table that the integration is mapped to. Currently, the only options are Incident and Service Request.
- Impact - Select the impact you wish to give Approval Requests from ThreatLocker.
- Urgency - Select the urgency you wish to give Approval Requests from ThreatLocker.
- Impact and Urgency are used by ServiceNow to calculate the Priority of the ticket.
- Assignment Group - Select the ServiceNow Assignment Group you want to use for Approval Requests.
5. Business Service - Select the desired Business Service classification for Approval Requests.
6. State - Select the state you want Approval Requests to be raised as. In our example, we selected 'New'.
7. Auto Close State - Select the state you want Approval Requests to be changed to when they are auto-closed. In our example, we selected 'Resolved.'
8. Escalation State - for organizations using Cyber Hero Approvals, if an Approval Request is escalated from the Cyber Heroes, select the status you wish those tickets to be labeled as in ServiceNow.
9. Category - Select the desired category for Approval Requests. In our example, we selected 'Software.'
10. Assignee - Select the ServiceNow user you want to assign Approval Requests to.
11. Tags - This contains all tags used in your ServiceNow environment. If you wish to apply any or all of the tags to Approval Requests, you may need to change access in ServiceNow to give write access to the label_entry.table and label_entry.table_key.
The fields located in the Ticket Settings tab can be left at all default values if desired.
Custom Mapping
The Custom Mapping tab provides the ability to map ServiceNow Fields to ThreatLocker Fields.
Please note: Only fields that are the data type of String will be displayed in the dropdown.
Select the field displayed in ServiceNow from the dropdown on the left, select the field displayed in ThreatLocker from the dropdown on the right, and click the blue '+' button to add that specific mapping. Continue mapping as few or as many fields as needed, selecting the '+' button each time until all desired fields are mapped.
Be sure to select the blue 'Save' button at the bottom left of the sidebar to complete the integration settings in ThreatLocker.
Now, Approval Requests received in ThreatLocker will also be received in ServiceNow, with the 'State' selected in the Ticket Settings tab. When tickets are closed in ThreatLocker, tickets will be closed in ServiceNow with the 'Auto Close State' selected in the Ticket Settings tab.
Custom Mapping Fields Not Showing in ThreatLocker
If after completing the setup custom fields using the String data type are not being displayed in the ThreatLocker integration sidebar, the username designated in the integration may not have appropriate permission in ServiceNow to access these fields. Follow the steps below to ensure appropriate permissions are granted.
- In the ServiceNow portal, navigate to User Administration > Users
- Select the Username designated in the ThreatLocker Integration
- Select the Roles tab and click on Edit
- Select the permissions needed to access the Incident table and the custom fields.
- At a minimum, the permissions needed for the Incident table are:
- Create
- Read
- Write
- At a minimum, read access must also be granted for the custom fields.
- At a minimum, the permissions needed for the Incident table are:
For additional help or to request a new feature for this integration, please reach out to a Cyber Hero.