Integrating Expel Workbench with ServiceNow allows 2-way communication:
- New tickets in ServiceNow create alerts in Workbench.
- Status updates and other actions in Workbench update or close tickets in ServiceNow.
This guide contains 3 parts:
- ServiceNow integration: step-by-step instructions for integrating ServiceNow with Workbench.
- Standard workflows: available automatically after the integration is complete.
- Advanced workflows: available upon special request.
To configure ServiceNow with Workbench, contact your assigned Engagement Manager, or our Customer Success Engineers by tagging @cse in our joint Slack channel. You can also email email@example.com.
Step 1: Configuring ServiceNow API access for Expel
This procedure creates the user account and OAuth token required by Expel to communicate with your ServiceNow instance.
- ServiceNow administrator account with security_admin privileges.
- Log in to the ServiceNow instance using the administrator account.
- Elevate your role to security_admin.
- Navigate to User Administration, then Users, and create a new user account for Expel.
- Grant the Expel user the incident_manager role. This gives it the required permissions to access the incidents table from the REST APIs.
- Navigate to System OAuth > Application Registry > New.
- Click Create an OAuth API endpoint for external clients.
- Fill out the form and submit it.
Step 2: Configuring ServiceNow in Workbench
Now that you have all the correct access configured and noted the credentials, follow these instructions to finalize the configuration in Workbench.
- Login to https://workbench.expel.io.
- Navigate to Settings, then Security Devices.
- At the top right of the page, select Add New Device.
- Search for and select ServiceNow.
Complete all fields using the credentials and information you collected in Step 1:
- Name and Location: enter ServiceNow and for location either Cloud or On-prem.
- Server Address: the ServiceNow instance URL. For example: https://dev1234.service-now.com.
- Username and Password: Expel user credentials from Step 1.
- Client ID and Client Secret: OAuth token from Step 1.
- Assignment Group: Optional. You can leave it blank.
- Console Login: Optional. You can leave this section blank.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.
These workflows are automatically available after the ServiceNow integration steps are complete.
Workbench can ingest ServiceNow tickets as alerts
Workbench can ingest alerts from ServiceNow if they are tagged for Expel. To enable this workflow, take the following steps.
- Create a ServiceNow ticket.
- Add the tag [EXPEL] to the beginning of the Short description.
- Enter all required fields.
This ticket appears in Workbench as an Alert for an Expel analyst to triage and investigate.
Alert assignment changes in Workbench are reflected in ServiceNow
When the Expel analyst picks up the ticket and assigns it to him or herself, this status change is reflected in the ServiceNow ticket. This allows you to see in ServiceNow that the ticket is being worked by Expel.
In ServiceNow, you see the Assigned to field of the ticket is now set to Expel (expeluser).
Investigation status of alerts is reflected in ServiceNow
When Expel investigates an alert, we move the alert into an investigation (if we need more information to understand what happened) or an incident (if we have high confidence that unauthorized or high-risk activity has occurred).
In ServiceNow you see the following changes in the ticket:
- The ticket’s state is set to In Progress.
- The Assigned to field is set to Expel to indicate that Expel is actively investigating.
- The ticket’s Work notes are updated with the Workbench investigation or incident name and URL.
Closing the Workbench alert closes the ServiceNow ticket
An alert can be closed in 1 of 2 ways in Workbench:
- Directly from the Alerts list or grid view.
- Indirectly, after an investigation or incident containing that alert is closed.
In the case where the closed alert started as a ServiceNow ticket, you see the following in ServiceNow:
- The original ServiceNow ticket State is set to Resolved.
- The Work notes and Closure notes includes the closed reason category and comment from Workbench.
These workflows are not part of the standard set because they require additional setup from
Expel which must be done on an individual customer basis. If you'd like to use one or more of these workflows, contact your engagement manager.
Remediation or investigative actions assigned to you create tickets in ServiceNow
In Workbench after a ServiceNow alert is added to an incident or an investigation, any remediation actions created and assigned to you are reflected in ServiceNow as separate tickets.
A ServiceNow ticket for an Investigative action:
- Has a short description identical to an investigation action email notification title, such as “<investigation/incident_shortname> - Investigation Action Assigned - <investigation_type>
- Has Assignment Group* assigned (*set during your ServiceNow Integration Onboarding).
- Contains a link to the investigative action in Workbench.
- Contains in its Work notes instructions and comments to perform the investigation.
|Investigative Action ServiceNow ticket from the incident queue view|
A ServiceNow ticket for a Remediation action:
- Has a short description identical to remediation action email notification title, such as “<incident_shortname> - Remediation Action Assigned - <remediation_type>
- Has Assignment Group* assigned (*set during your ServiceNow Integration Onboarding)
- Contains a link to the Remediation Action in Workbench.
- Contains in its Work Notes instructions and comments to perform the remediation.
|Remediation Action ServiceNow ticket from the Incident Queue view|
|Remediation Action ServiceNow ticket from the Incident details view|
Remediation or investigative actions completed in Workbench close tickets in ServiceNow
This workflow allows for additional syncing and custom field settings. With this workflow, when investigative, verify, and remediation actions are completed in Workbench, they are closed in ServiceNow.