The IT Service Management (ITSM) and Security Incident Response (SIR) modules are supported for integration with Expel Workbench. The steps listed in this guide universally apply to both.
Expel offers a notification synchronization capability for ServiceNow. Synchronization refers to Workbench's ability to continuously update a ticket based on state changes in Workbench. See the Reference section for more information about notification synchronization.
Note
ServiceNow is not used to ingest your security signal for MDR purposes. It is only used to support notifications.
Synchronization is only available for Workbench Investigations or Incidents.
Additionally, this plugin cannot be customized. See If you are seeking customizable payloads for Workbench notifications, please instead utilize webhooks or the email ticketing system.
Prerequisites
- You must have a Servicenow Administrator account with security_admin privileges.
- You must have the ITSM or SIR module added and enabled on the ServiceNow account.
Quick Links
Setup includes the following steps (select any step for detailed instructions):
- Configure Servicenow API Access For Expel
- Add ServiceNow as a Security Device in Workbench
- Configure ServiceNow Notifications in Workbench
Step 1: Configure Servicenow API Access For Expel
- Log in to the ServiceNow instance using the administrator account.
- Elevate your role to security_admin.
- Navigate to User Administration > Users and select New in the upper right corner.
- For the User ID field, enter "expeluser". The rest of the fields can be left blank.
- Select Submit.
- From the Users list, select expeluser.
- On the User page, select Set Password.
- Select Generate. Copy the password and save it to a safe place.
- Select Save Password.
- Select Close.
- Still on the User page, scroll down to the Roles tab and select Edit.
- Grant the Expel user the appropriate role depending on your choice of module. This gives it the required permissions to access the incidents table from the REST APIs.
ITSM module:
- Enter "incident_manager" in the Collection field.
- Select incident_manager in the list builder and select > to add it to the Roles List.
- Select Save.
- Enter "sn_si.manager" in the Collection field.
Select sn_si.manager in the list builder and select > to add it to the Roles List.
Select Save.
- Navigate to System OAuth > Application Registry.
- Select New in the upper right.
- Select Create an OAuth API endpoint for external clients.
- Provide a Name for the registry.
- The default settings can be left as is.
- Select Submit.
- On the Application Registries page, select the name of the registry you just created.
- Copy the Client ID and Client Secret and save them in a safe place, as you will need these values in a later step.
Step 2: Add ServiceNow as a Security Device in Workbench
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Security Devices.
- Select Add Security Device.
- In the search box, type “ServiceNow” and then select the ServiceNow integration.
- Complete the fields as follows:
- Name - enter a name that might help you more easily identify this integration, such as “CompanyName ServiceNow”; this name will display in Workbench under the Name column, and is a text string that you can filter on.
- Location - enter the location of your integration, for example “cloud;” this is also a text string that you can filter on, so we recommend being consistent with location naming across your Expel integrations.
- Username and Password - enter "expeluser" for the username, and enter the password you created in Step 1.
- Server - enter the URL from the ServiceNow instance you configured the Expel user on in Step 1. For example: https://dev1234.service-now.com.
- Client ID and Client secret - enter the ID and secret you obtained in Step 1.
- Module - use the dropdown to select the appropriate option depending on whether you are adding an ITSM or SIR device.
- Assignment group - this is optional and can be left blank.
- Console Access - granting Workbench access to your ServiceNow console is optional.
- Select Save.
- Your device should be created successfully within a few seconds. A few reminders:
- To check on the status, select the downward arrow for your device in the first column and choose View details. You can then scroll to the Connection section to see if your device is fully connected.
- You must refresh the page to see updates.
- Note that a status of "N/A" for Last successful poll is expected.
- If your device does not report a healthy connection, check that the values you entered into Workbench are correct. If you need further troubleshooting, contact our Support team.
- In the Integrations tab on the Organization Settings page, look for a new section titled ServiceNow, and ensure it says Enabled. If it does, proceed to Step 3: Configure ServiceNow Notifications in Workbench. If there is no new ServiceNow section, continue to the next step.
- In the side menu, navigate to Organization Settings > My Organizations and select the name of your organization.
- Select the Integrations tab.
- Scroll to the ServiceNow section and select Enable ServiceNow integration.
Step 3: Configure ServiceNow Notifications in Workbench
- Navigate to Organization Settings and select the Notifications tab.
- Select Add Notification.
- Complete the fields as follows:
-
Conditions - select an event, and then select an action; some events may also allow you to add one or more conditions.
Note
There is a specific setting available for ServiceNow integrations:has any state change
. If configured, whenever an Investigation or Incident is updated in Workbench, comments are appended to the associated ServiceNow ticket. The comments include a URL back to the original Investigation or Incident, and details about the update.
- Notify via - select your ServiceNow integration.
- Select Save.
-
Conditions - select an event, and then select an action; some events may also allow you to add one or more conditions.
Reference
Synchronization Capabilities
Synchronization is only available for Incidents and Investigations. Upon creation of a ServiceNow ticket, any subsequent change or update associated with that Investigation or Incident is captured and logged as a comment on that same ticket. Fields are not currently updated.
For example, if any of the following occurs, a comment is added to the ServiceNow ticket that was created when the Investigation/Incident opened in Workbench:
- an Expel alert is added to the Investigation/Incident
- a Verify/Notify action is created and sent as part of the Investigation/Incident
- a Remediation Action is assigned, automated, or completed as part of the Investigation/Incident
When a ticket is created, the following fields are set:
-
Title - Name of Workbench event (example:
[ORG-XXX] Incident created: Authentication from suspicious country
) - Description - Includes URL to Workbench event (Incident or Investigation) and details about the event.
-
Incident State - Set to
In Progress
. -
Caller - Set to
Expel Integration
.
Supported Synchronization Events
For the below events, one ServiceNow ticket is created and continuously updated throughout the lifecycle of the Investigation or Incident.
Workbench Event | State or Action | What happens in ServiceNow? |
---|---|---|
Incident | Created | Ticket created |
Assigned | Comment added to ticket | |
Closed | ||
Downgraded | ||
Promoted | ||
Reopened | ||
Remediation Action assigned/completed/failed | ||
Investigation | Created | Ticket created |
Alert added | Comment added to ticket | |
Assigned | ||
Closed | ||
Reopened | ||
Investigative Action created/assigned/approved/denied (this includes Verifies) |
Unsupported Synchronization Events
For the below events, one unique ServiceNow ticket is created for each event. For example, if configured, an Expel Alert opening would yield one ServiceNow ticket. If configured, when that Expel Alert is closed, it would yield another ServiceNow ticket.
Workbench Event | State or Action | What happens in ServiceNow? |
---|---|---|
Expel Alert | Created | Ticket created |
Investigative Action | Analysis assigned | Ticket created |
Assigned | ||
Manual action | ||
Notify Action | Assigned | Ticket created |
Verify Action | Assigned | Ticket created |
Approved | ||
Denied | ||
Custom Rule | Created | Ticket created |
Assembler health status change | First Time Healthy | Ticket created |
Unhealthy | ||
Healthy | ||
Security Device health status change | First Time Healthy | Ticket created |
Unhealthy | ||
Healthy |