ServiceNow CMDB Integration
The information on this page has moved
For the most up to date ServiceNow CMDB guidance, go to Integrate InsightCloudSec with ServiceNow.
The InsightCloudSec ServiceNow Configuration Management Database (CMDB) integration provides end-to-end integration for managing cloud asset inventory and cloud configurations, synchronizing InsightCloudSec resources with Configuration Items (CIs) in the CMDB using a ServiceNow Application. This integration allows dynamic creation, management, and deletion of CIs based on the status of cloud resources in InsightCloudSec, facilitating quick assessment and response to configuration and resource changes in your cloud environments. If you have any questions or trouble setting up or using the integration, contact support.
Prerequisites
- InsightCloudSec:
- Domain administrator permissions
- ServiceNow:
- System administrator permissions
- Version
Utah
,Vancouver
, orWashington
- Global system properties:
glide.http.outbound.max_timeout.enabled = false
glide.outbound_http_log.override.level = all
glide.outbound_http.content.max_limit = 10000
glide.outbound_http_log.override = true
- Plugins installed:
- CMDB CI Class Models (
sn_cmdb_ci_class
) - 1.53.0 - Discovery and Service Mapping Patterns (
sn_itom_pattern
) - 1.10.1 - Cloud Provisioning and Governance Core (
com.snc.cloud.core
)
- CMDB CI Class Models (
CMDB data ingest dependent upon plugins
If the Discovery and Service Mapping Patterns and Cloud Provisioning and Governance Core plugins are installed, the InsightCloudSec resources data will be ingested in the respective CMDB tables. Otherwise, data will be ingested into the cmdb_ci_cmp_resources
table for dependent classes.
Installation and Setup
Step 1: Install the InsightCloudSec CMDB Integration in ServiceNow
Before ServiceNow can begin ingesting InsightCloudSec resources into your CMDB, you first need to download and install the Rapid7 InsightCloudSec CMDB Integration.
To download and install the InsightCloudSec CMDB Integration:
- Login to ServiceNow.
- Open the ServiceNow store.
- Using the search field, type
InsightCloudSec
. - Click the Rapid7 InsightCloudSec CMDB Integration card.
- Click Get, then provide the HI credentials for your ServiceNow instance.
- Once the integration has been added, open your ServiceNow instance and navigate to Applications > All Available Applications > All.
- Using the search field, type
InsightCloudSec
. - Click Install in the Rapid7 InsightCloudSec CMDB Integration application listing.
Step 2: Create the InsightCloudSec CMDB Integration Users
After installing the integration, it is best practice to create at least one user to interface and manage the corresponding ServiceNow application. Follow the instructions using ServiceNow's documentation to create a user and assign a role to the user. At the very least, we recommend creating an Application Admin user that is assigned the x_r7_rapid7_ics_cm.ics_admin
, cmdb_read
, workflow_admin
roles.
Step 3: Configure the InsightCloudSec CMDB Integration
Using the new Application Admin user you created in the previous step, you'll need to configure authentication to InsightCloudSec and application properties as necessary.
To configure authentication:
- Login to ServiceNow as your new Application Admin user.
- Navigate to Rapid7 InsightCloudSec CMDB Integration > Configuration.
- Provide a unique Name for the configuration.
- For the Token, provide a portal-generated API key for the InsightCloudSec endpoint. To generate an API key, click the provided link in ServiceNow.
- For the Host, provide the URL for your InsightCloudSec instance.
- Click Update.
To configure application properties:
Need more information on the properties?
For more information on the properties, review the Application Properties Reference drop-down in this section.
- Navigate to Rapid7 InsightCloudSec CMDB Integration > System Properties.
- Update the properties as necessary, then click Save.
Application Properties Reference
Property Name | Description | Default |
---|---|---|
x_r7_rapid7_ics_cm.api_idle_interval | Minimum interval time between two API calls in seconds. | 5 |
x_r7_rapid7_ics_cm.Connection_Timeout | Timeout for all REST calls in seconds. | 600 |
x_r7_rapid7_ics_cm.page_limit | Page size of API call. Users can fetch a maximum of 1000 records in a single API call. | 1000 |
x_r7_rapid7_ics_cm.idle_count | Maximum number of retries to be performed for API failures. | 3 |
x_r7_rapid7_ics_cm.idle_interval | Minimum interval between API calls in seconds when an HTTP response code 429 or 500 is received. | 30 |
x_r7_rapid7_ics_cm.invalidate_job | Number of days to terminate a long-running process monitor job. | 3 |
x_r7_rapid7_ics_cm.api_max_wait_time | Maximum API response waiting time in seconds. | 180 |
Step 4: Activate InsightCloudSec Schedulers and Data Imports
After successfully downloading, installing, and configuring the integration, you have to activate all the corresponding scheduled import jobs to begin ingesting InsightCloudSec resources into your CMDB. For more information on managing and cancelling ServiceNow jobs like Resource Import, Resource Type Import, Scope Import, and Resource Soft Delete, review the ServiceNow documentation.
To activate InsightCloudSec schedulers:
- In your ServiceNow instance, navigate to System Definition > Scheduled Jobs.
- Add the Application column to the list view.
- Using the search field in the Application column, type
Rapid7 InsightCloudSec CMDB Integration
. The list should filter to only display the jobs associated with the Rapid7 InsightCloudSec CMDB Integration. - Update all of the jobs' Active column to
true
.
To activate InsightCloudSec data imports:
- In your ServiceNow instance, navigate to System Definition > Scheduled Imports.
- Add the Application column to the list view.
- Using the search field in the Application column, type
Rapid7 InsightCloudSec CMDB Integration
. The list should filter to only display the jobs associated with the Rapid7 InsightCloudSec CMDB Integration. - Update all of the jobs' Active column to
true
.
Using the Integration
After the schedulers and data imports have successfully completed, you can view all imported resources from the Rapid7 InsightCloudSec CMDB Integration > Resources page. Click any resource to review details in read-only mode. You can also navigate to CMDB records directly through list view by clicking on the name under the Configuration Item column.
Timezone difference?
The time zone between the ServiceNow platform and your InsightCloudSec platform must be the same. A mismatch between the time zones can cause incorrect reporting in the application. Review the ServiceNow knowledge base for information on updating the system timezone.
Troubleshooting
For assistance with troubleshooting the integration, we recommend reviewing the application process monitor and logs.
Process Monitor
The application provides a Process Monitor module under the Diagnostics menu for reviewing high-level metrics from past runs of the feature. This module generates a list of all the processes with a corresponding scheduled job name and descriptive logs with the total count and reason for a process failure. In ServiceNow, navigate to Rapid7 InsightCloudSec CMDB Integration > Diagnostics > Process Monitor to get started. For details on the various statuses that appear in the process monitor, review the Process Monitor Status Reference drop-down.
Is a scheduled job taking time to reflect on the process monitor?
ServiceNow's backend scheduler will check any eligible jobs that need to be executed every 18 seconds. Once the backend scheduler is executed, all queued jobs will be picked for execution and the process monitor will be updated to reflect.
Process Monitor Status Reference
Process Name | Description |
---|---|
Initiated | Whenever the job is initiated. |
In Progress | Whenever the job is in progress that means the queue is getting processed for that job. |
Failed | Whenever the job fails due to any failure in API Call, MID server is down, or a selected configuration is deleted. If any job is running for 3 days, then the job will be failed forcefully and marked as Failed. |
Completed | Whenever the job is completed successfully. |
Completed with Error | Whenever the job is completed but all queues are not processed successfully (combination of failed and processed queues), there is an Identification Reconciliation Engine (IRE) error, or there is some unknown error. |
Need more details on IRE errors?
You can update the glide.cmdb.logger.source.identification_engine
global system property to *
and re-run the scheduled job to add more details to the system logs.
Application Logs
Application logs can be viewed from the integration itself or in the system log (if configured). Navigate to Rapid7 InsightCloudSec CMDB Integration > Application Logs to see only the application-specific logs. For more information on system logs, review the ServiceNow documentation.
IRE Errors
If you're noticing an excess amount of IRE errors in the Application logs, this may be because the length of the Account ID is more than the CMDB will allow.
To update the length of the Account ID:
- Login to ServiceNow.
- Navigate to the CMDB CI Cloud Service Account list.
- Update the length of the Account ID column to
255
.
If you can't change the length of the Account ID using the previous method, try navigating to System Definition > Scripts - Background and running the following script
text
1var gr = new GlideRecord("sys_dictionary");2gr.addEncodedQuery("nameSTARTSWITHcmdb_ci_cloud_service_account^elementSTARTSWITHaccount_id");3gr.query();4if(gr.next()) {5gr.max_length = 255;6gr.setWorkflow(false);7gr.update();8}