ServiceNow Security App Administration

This section describes various tasks related to the Rapid7 Threat Command for Security Incident Response and Threat Intelligence App (ServiceNow Security App).

Post incident reviews

When a security incident status is marked as Review, the assigned user is required to fill the post-incident review assessment form for the security incident.

Prerequisites:

  • The security incident status must be updated to Review.

To do a post-incident review:

  1. From the left navigation pane, choose Post Incident Review > My Pending Review.
  2. Select the desired security incident and click Take Assessment.
  3. Complete the assessment and click Submit.

Assign roles to the default assignment group

The Default Assignment group in the ServiceNow Security App is Rapid7. This section describes how to assign the roles to the assignment group in the ServiceNow Security App. The users of the Rapid7 assignment group with the sn_si.analyst role will be able to work on the security incidents workflow of the RServiceNow Security App.

To assign roles:

  1. Log in to ServiceNow as a system administrator.
  2. From the left navigation pane, choose User Administration > Groups.
  3. Select the Assignment Group as Rapid7 and then open the record.
  4. In the Roles tab, click Edit.
  5. From the Collection List select the sn_si.analyst role and move it to the Role List.
  6. Click Save to assign the role.
  7. Click Update to save the record.

Setting-up timezone

The time zone between the ServiceNow platform and your Threat Command must be the same. A mismatch between the time zones can cause incorrect security incident reporting in the ServiceNow Security App.

Prerequisites:

  • You must be in the Global scope of ServiceNow.
  • The ServiceNow Security App is installed on your ServiceNow platform.

To set up the time zone:

  1. Log in to ServiceNow.
  2. From the left navigation pane, choose System Properties > Basic Configuration > Configure available time zones.
  3. From the Available column, select the time zone and move it to the Selected column.
  4. Click Save.

The time zone is configured.

Configuring roles

The ServiceNow system administrator is required to create a user or provide permissions to an existing user for the ServiceNow Security App. The ServiceNow system administrator can create two types of users for ServiceNow Security App:

UserRoleDescription
Admin- x_ints8_intsights.alert_dums_user- x_ints8_intsights.configuration_user- x_ints8_intsights.intSights_admin- x_ints8_intsights.intSights_scheduler- sn_si.adminThe user of this role will be the admin forServiceNow Security App. The admin user must be a member of Rapid7 assignment group. See Assign roles to the Default Assignment group.
User- x_Ints8_intsights.intSights_user- sn_si.basicThe user of this role will be the end-user for theServiceNow Security App. The user must be a member of Rapid7 assignment group. See Assign roles to the Default Assignment group.

Assign roles to user

This section provides instructions to assign the roles for the ServiceNow Security App.

To assign user roles:

  1. Log in to ServiceNow as a system administrator.
  2. Navigate toleft navigation page > User Administration > Users.
  3. Select the user and open the user record.
  4. In the Roles tab, click Edit.
  5. Add the desired roles for the users from the Collection List and move the role to the Role List.
  6. Click Save to assign the role.
  7. Click Update to save the user record.
  8. Repeat steps 2 to 7 for each ServiceNow Security App user to assign roles.

Elevating to the Security Admin role

The ServiceNow Security App admin must have read and write access to update the custom schedule jobs.

Prerequisites:

  • You must be the system administrator in the ServiceNow.
  • Elevate the Role to security_admin.

To make a security_admin user role:

  1. Log in to ServiceNow as a system administrator.
  2. Navigate to System Definition > Tables.
  3. In the Name search box, search for sysauto_script.
  4. Click the label name link to open the details.
  5. In the Related List section, open the read access control.
  6. Add the x_ints8_intsights.intSights_admin role for the access, then click Update.
  7. In theRelated List section, open the write access control.
  8. Add thex_ints8_intsights.intSights_admin role for the access, then click Update.
  9. In the Related List section, open the create access control.
  10. Add the x_ints8_intsights.intSights_admin role for the access, then click Update.
  11. Click Update to save the information.

Scheduling jobs

The Scheduled Jobs window displays the jobs that are scheduled to run at a predefined time. These scheduled jobs will sync the data between the Threat Command and ServiceNow Security App as requested in the job script. The administrator can also create their custom scripts. By default, the Rapid7_FetchAlerts job is available in the ServiceNow Security App and it will automatically be executed every 10 minutes.

Prerequisites:

  • You must be either the ServiceNow system administrator or the ServiceNow Security App admin.
  • You must have create and write access for x_Ints8_intsights.intSights_admin role. See Elevating to the Security Admin role.

To schedule jobs:

  1. Log in to ServiceNow as a system administrator or the ServiceNow Security App admin.

  2. From the left navigation pane, choose Rapid7 ServiceNow Security App > Scheduled Jobs.

    The list of available scheduled jobs displays.

  3. Click New.

    The new record window displays.

  4. In the Name field, enter the job name.

  5. Check the Active box to mark the job as active.

  6. From the Run drop-down list, select the option when you want to run this script.

  7. In the Time field, enter the time to run this script.

  8. In the Run this script field, enter your custom script.

  9. Click Submit to save the script.

Once the script is validated, the system will run the job as per the specified time.

Viewing logs

From the logs window, the ServiceNow system administrator or the ServiceNow Security App admin can configure and view all the ServiceNow Security App logs.

The ServiceNow Security App displays four types of logs:

  • Error: An error represents serious issues and the failure of an operation in the ServiceNow Security App.
  • WARN: The warning logs represents the unusual situation in the ServiceNow Security App.
  • INFO: The info log represents the informational messages that highlight the progress ServiceNow Security App.
  • DEBUG: The debug logs provides details about the application behavior.

To view logs:

  1. Log in to ServiceNow as a system administrator or the ServiceNow Security App admin.
  2. From the left navigation pane, choose Rapid7 ServiceNow Security App > Logs.

The Logs window displays.

Configuring the log level

The ServiceNow system administrator or ServiceNow Security App admin can configure the log level to view the logs accordingly. This section provides information to update the log level in the ServiceNow Security App.

Prerequisites:

  • You must be either the ServiceNow system administrator or the ServiceNow Security App admin.

To configure the log level:

  1. Log in to ServiceNow.
  2. From the left navigation pane, choose System Properties >Properties.
  3. In Search, search for x_ints8_rapid7.log_level.
  4. Open the property and in the Value field, enter the required value for log level using following table:
  • Log LevelValue
    ERROR1
    WARNfetch
    2
    INFO3
    DEBUG4
  1. Click Update to save.

Support

From the Support window, you can access the ServiceNow Security App support contact details. This window displays the Rapid7 support email address, contact number, and documentation information.

To view Support contact information:

  1. Log in to ServiceNow.
  2. From the left navigation pane, choose Rapid7 ServiceNow Security App > Support.

The Support window is displayed.