ServiceNow
You can configure Lacework to forward alerts to ServiceNow using the ServiceNow REST API.
Prerequisites
Lacework requires a ServiceNow user name with either a web_service_admin, rest_api_explorer, or admin role. Traditionally, ServiceNow also recommends adding either the itil or itil_admin role(s) to assist with incident creation. For management and security purposes, Lacework recommends creating a dedicated Lacework-ServiceNow user. For more information, refer to ServiceNow documentation for REST API Reference.
Create a ServiceNow Alert Channel from the Lacework Console
Go to ServiceNow
- Log in to the Lacework Console as a Lacework user with administrative privileges.
- Go to Settings > Notifications > Alert channels.
- Click + Add new.
- Select ServiceNow.
- Click Next.
- Follow the steps in the next section.
Create a ServiceNow Alert Channel
Ensure you have created a ServiceNow user and password as described in Prerequisites. Then complete the following steps:
- In the Name field, enter a name for the channel and click Next.
- From the Group Issues by drop-down, select one of the options:
- Events - Select this option if you want a single ServiceNow incident to be created when compliance events of the same type but from different resources are detected by Lacework. For example, if three different S3 resources are generating the same compliance event, only one ServiceNow incident is created.
- Resources - Select this option if you want multiple ServiceNow incident to be created when multiple resources are generating the same compliance event. For example, if three different S3 resources are generating the same compliance event, the ServiceNow incidents are created.
- In the User Name field, enter your ServiceNow user name.
- In the Password field, enter the password for the specified user name.
- In the Instance URL field, enter your ServiceNow instance URL.
- Optional—In the Custom Template File field, click Choose File to select a custom template file to populate values from a custom template JSON file. For more information, see the next section.
- Click Save.
- Click Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.
You should now start to receive Lacework alerts in the ServiceNow security incident response system.
Populate Values in New ServiceNow Incidents from a Custom Template
If you want the ServiceNow alert channel to populate fields in the new ServiceNow incidents with values from a custom template JSON file:
- Ensure that you are logged into ServiceNow.
- Create a custom template JSON file with the populated values.
- Specify the file when creating the ServiceNow alert channel in the Lacework Console.
For example, if you want the new ServiceNow incidents created by the Lacework ServiceNow alert channel to preface the description with a string and set approval to Approved, specify the following in your custom template JSON file. For the description property, the value specified in the custom template JSON is prepended to the value provided by the ServiceNow alert channel.
{
"description" : "Generated by Lacework:",
"approval" : "Approved"
}
When creating the ServiceNow alert channel in the Lacework Console, you must also select the custom template file from the Custom Template File field.
For the field properties to specify in the JSON file, see the properties listed in the response of the POST /now/table/{tableName} ServiceNow REST API documentation.
Do not set the properties that start with the sys_ string.
Create a Lacework ServiceNow Alert Channel Using Terraform
For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables automated configuration of Lacework alert channels.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read through the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.
For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.
You can configure Lacework to forward alerts to ServiceNow using the ServiceNow REST API. Lacework requires a ServiceNow user name with either a web_service_admin, rest_api_explorer, or admin role.
For management and security purposes, Lacework recommends creating a dedicated Lacework-ServiceNow user. For more information, refer to the ServiceNow documentation for REST API Reference.
# Configure ServiceNow Alert Channel in Lacework
resource "lacework_alert_channel_service_now" "example" {
name = "ServiceNow Channel Alert Example"
instance_url = "snow-lacework.com"
username = "snow-user"
password = "snow-pass"
}
For more information on the lacework_alert_channel_service_now
resource, see Terraform Registry.