ServiceNow ITSM Use Cases
This section describes these common use cases:
Authentication
This section describes how users should be able to fetch data from the âRapid7 Threat Commandâ app to ServiceNow. This is used to leverage the default authentication mechanism (Basic Auth) supported by ServiceNow.
Role Required : x_r7_rapid7_intsig.app_admin
- Login to the ServiceNow instance.
- Navigate to âRapid7 Threat Command for ITSMâ.
- Click on âRapid7 Threat Command for ITSMâ -> âConfigurationâ -> âAuthenticationâ.
- On click of the Authentication, the view gets opened with a default record named âRapid7 Threat Commandâ.
- Update required fields like âNameâ, âAccount IDâ and âAPI Keyâ.
- Users will get a success message if their credentials are correct.
- In case of wrong/empty credentials the user will get error messages.


Ingestion
This section describes how to configure filters that can be used for fetching Alerts from the âRapid7 Threat Commandâ platform. Incident creation criteria specify for which condition an Incident should be created. Incident mapping criteria specify the custom mapping of Alert fields to Incident.
Role Required : x_r7_rapid7_intsig.app_admin
-
Login to the ServiceNow instance.
-
Navigate to âRapid7 Threat Command for ITSMâ Â âConfigurationâ.
-
Click on âIngestionâ.
-
The Ingestion form view gets opened with a default Name as âFetch Alertsâ, âRunâ value as âPeriodicallyâ, âActiveâ value as âFalseâ and âCheckpointâ as empty for the initial ingestion. Users need to make sure to check the âActiveâ checkbox to run the scheduler automatically at the scheduled time.
Note:
- If âCheckpointâ is empty then it will fetch past 3 months data by default otherwise users need to mention specific value.
- Users can not select a future date in the checkpoint , the application will give an error message if the future date is selected.
- On clicking the âActiveâ checkbox , the user can configure the schedulerâs properties like Repeat Interval of scheduler. It represents the time when the scheduler will be run.
- By default the scheduler will be set to periodically run by 30 minutes once it gets active.
-
Users can update the existing record. Change the existing details and click on the Update button to only update the configuration or click on the Collect Data button to start the ingestion based on the updated configuration directly.
-
Alert Type, Source Type, Network Type, Severity and Remediation Status Filters can be modified by clicking on the Lock button.
-
Users can select multiple values from the list for the above mentioned Filters by selecting from the Choice List provided.
-
Users can select the Assigned, IsClosed and IsFlagged value from the dropdown of respective Filters by clicking on the dropdown list.
-
Users should provide comma separated values in Matched Asset Value and Tags based on their requirement.
-
Users can provide Mapping Configuration and Incident Creation Criteria by clicking on the âIncident Creation Criteriaâ section given next to the âFilter Alertsâ section.
-
Users can provide custom Mapping by clicking on the Magnifying Glass icon to view the list of available Incident Fields that can be mapped with the Rapid7 Alert Fields.
-
After clicking on the Magnifying Glass icon, the list of available Incident Fields that can be mapped with the Rapid7 Alert Fields will be visible in this way from which the user can select the field of users choice by clicking on it.
-
Users will be able to provide Incident Creation Criteria to create Incident for particular conditions only. By Default, Incident Creation Criteria will be provided to create Incidents only for Open Alerts.
-
Users will be able to see Assignment Group Criteria to create criterias for assigning an incident to a system group or an user. Users can click on the âNewâ button to create a new criteria.
-
Users will be able to see the form view of Assignment Group Criteria once users click on the âNewâ button with default value of âOrderâ as 100.
-
Users will be able to select groups and users by clicking on the magnifying glass shown next to âAssignment Groupâ and âAssigned Toâ respectively. Users can provide âConditionâ by selecting the choice from the drop down list.
Note:
- Users must have to select either âAssignment Groupâ or âAssigned Toâ. One of them is mandatory for saving records.
- Assignment criteria will only work if Alert does not have an âAssigneeâ field defined.
- If Alert has an âAssigneeâ field assigned and âAssigneeâ value will be matched with any ServiceNow user then the matched user will be assigned to that incident directly.
- If Alert has an âAssigneeâ field assigned but its value is not matching with any of ServiceNow users then it will check for assignment criteria.
-
Once âAssignment Group Criteriaâ configuration is done successfully, users need to click on the âSubmitâ button to save the criteria.
Note:
- Users with role âx_r7_rapid7_intsig.app_userâ can only view Assignment Group Criteria, New button should not be displayed. .They can collect data by clicking on the âCollect Dataâ button.
- Where there are more than one Assignment Group Criteria present, the lowest order will execute on highest priority while assigning the Group and/or User to Incident.
Rapid7 Threat Command Data
Alerts
âAlertsâ section allows users to view Alerts fetched from âRapid7 Threat Commandâ platform. Users can view a list of alerts and its details. Users can also create an Incident from a specific alert.
Role Required: x_r7_rapid7_intsig.app_admin or x_r7_rapid7_intsig.app_user
- Login to the ServiceNow instance.
- Navigate to âRapid7 Threat Command for ITSMâ.
- Click on âRapid7 Threat Command for ITSMâ -> âRapid7 Threat Command Dataâ ->âAlertsâ.
- On click of the Alert, the list view gets opened.
- Open any Alert by clicking on AlertId. Users can view details of Alert. All fields will be read-only.
- Click on the âCreate Incidentâ button to create a new Incident for opened Alert. New Incident will be created and assigned to the Incident field of Alert.
- Users can view the created Incident by clicking the info button near the Incident field. Note : âCreate Incidentâ button will only be visible when either Alert has no Incident assigned or the existing linked incident with Alert is closed.
- Click on the âDeleteâ button to delete the opened Alert.
- On click of the Delete button , assigned Incident will be closed first and then Alert will be deleted.
- Users can also delete multiple Alerts by selecting checkboxes in the list view.
- Users with âx_r7_rapid7_intsig.app_userâ role can only view Alert details. Users can create an Incident but can not delete any Alert.
Monitoring
âRapid7 Threat Command for ITSMâ application provides the functionality to monitor the jobs which are fetching data. Users can see detailed information of job status and processes.
Role Required : x_r7_rapid7_intsig.app_admin or x_r7_rapid7_intsig.app_user Procedure:
- Login to the ServiceNow instance.
- Navigate to âRapid7 Threat Command for ITSMâ âMonitoringâ.
- Click on âProcess Monitorâ.
- Click on the any record to check the status of the process.
- It will show the job start time, end time, status, and periodically updated logs for the job process.
- If the application fails to retrieve some alerts, âMissed Alert IDsâ will display the alertâs IDs. Such IDs will be fetched during next on-demand or scheduled ingestion.
- A newly created job will fail with the message âThere is already a job runningâ if a job is already running.
- Note : All fields in the process monitor will be read-only.