ServiceNow Security App Installation and Configuration

This section describes how to install and configure the external app, Rapid7 Threat Command for Security Incident Response and Threat Intelligence App (ServiceNow Security App), in the ServiceNow platform.

The following table shows the version compatibility between the ServiceNow Security App and ServiceNow releases.

ServiceNow Security AppChangesServiceNow Releases
v2.1.0Add support for Utah and Vancouver releases
Updated Alert Attachment Support
Deprecated unused roles
Added support for fetching updated alerts automatically
Minor bug fixes		Rome, San Diego, Tokyo, Utah, and Vancouver

Before you can use the external app with Rapid7 Threat Command you need to add it.

Add external app

Before using an external app, you must add it. There are two parts to adding an app:

  • Your admin must enable the app for you to add.
  • After that, you add the external app.

To add an external app:

  1. From the main menu, select Automation > Integrations.
  2. From the Integrations page, click External.
    temporary placeholder
  3. Click Add new device.
  4. Select the Device type.
    A default name is added. If the external device to add isn't displayed, ask your admin to enable it for you.
  5. Click Add.

The new device is added.

Installing the ServiceNow Security App

The ServiceNow system administrator can install the ServiceNow Security App from the ServiceNow store.

Prerequisites:

  • You must be the ServiceNow system administrator.
  • You must have access to the ServiceNow Store.
  • You must have the Security Incident Response Module installed in the ServiceNow platform.
  • You must add the external app in the Rapid7 Threat Command.

Add external app

Before using an external app, you must add it. There are two parts to adding an app:

  • Your admin must enable the app for you to add.
  • After that, you add the external app.

To add an external app:

  1. From the main menu, select Automation > Integrations.
  2. From the Integrations page, click External.
    temporary placeholder
  3. Click Add new device.
  4. Select the Device type.
    A default name is added. If the external device to add isn't displayed, ask your admin to enable it for you.
  5. Click Add.

The new device is added.

To install the ServiceNow App:

  1. Log in to the ServiceNow Store at https://store.servicenow.com/
  2. Search for Rapid7 ServiceNow Security App.
    You can reach the app directly here.
  3. Click the application to view the details.
  4. In the top-right corner of the form, click Manage Entitlements.
  5. Select your ServiceNow instances to install the application, then click OK.

The application is available on the ServiceNow selected instances.

  1. Log in to ServiceNow instance as a system administrator.
  2. Choose System Applications > All Available Applications > All.
  3. Search for Rapid7 ServiceNow Security App.
  4. Click Install.

The ServiceNow App is installed.

Configuring the ServiceNow IR App

After installing the ServiceNow Security App, the ServiceNow system administrator must configure the system. This configuration registers the ServiceNow Security App with your Rapid7 ETP Suite instance.

The ServiceNow system administrator is required to provide the Threat Command account ID and API key in the ServiceNow Security App. This enables the ServiceNow Security App to connect with your Rapid7 instance. For more information, see API key, account ID, and appliance key.

After the connection is established, the ServiceNow Security App will import all the available Threat Command alerts to ServiceNow as incidents.

Prerequisites:

  • You must be the ServiceNow system administrator.
  • You must have the Rapid7 ETP Suite API key and account ID.
  • The time zone between the ServiceNow platform and the Threat Command must be the same. For more information, see Setting-up Time Zone.

To set up the ServiceNow Security App properties:

  1. Log in to ServiceNow as a system administrator.

  2. From the left navigation pane, choose Rapid7 ServiceNow Security App > Configurations.

  3. In the Account ID field, enter the Threat Command account ID.

  4. In the API Key field, enter the Threat Command API key.

  5. Click Check Connection.
    The system validates the account ID and API key. Upon the successful validation Security Incident options display.

  6. Configure the Security Incidents options:

    1. In the Select Type to fetch the Alerts field, select the Threat Command alert types to import.
    2. In the Select Severity to fetch the Alerts field, select the Threat Command alert severities to import.
    3. From the Report Date drop-down list, select the report days to import alerts.

    Note: By default, all alert types and severities are selected, and reporting is for the last 30 days.

  7. Click Update and Save.
    The system again validates the Account ID and API key. Upon successful validation, a job runs that imports all the open alerts from your Threat Command.
    temporary placeholder