Rapid7 InsightVM Builtin ServiceNow Remediation Projects Integration

This document details you on how to create a ServiceNOW ITSM ticketing integration on InsightVM. If you don’t have an ServiceNow ITSM environment yet you can create one for free on (this is a trial environment) https://developer.servicenow.com/ web site.

To create a trial ServiceNow environment

  1. Go to https://developer.servicenow.com/ and click on “Register”
  2. Fil the related information and click on “Submit”

  1. After that you will get an account verification email

  1. After clicking on email verification you can now sign on your account at https://developer.servicenow.com/

  1. After clicking on “Sign In” with your account you need to accept “ServiceNow Developer Agreement”

  1. After Accepting Agreement next you need to tell a bit about yourself and click “Submit”

  1. And you can now request an instance from Manage Instance
  2. Request your Instance by clicking it

  1. Tell a little bit about why you request this instance and click “I understand”. Basically this instance will be reclaimed after 10 days of inactivity and will be shutdown after a certain period of hours (but you can restart without losing data)

This instance is different from normal instances like:

  • They are returned to the pool of available instances if they go unused for ten days. Duration may change due to availability.
  • There is no guarantee on availability. We do expect shortages as we expand capacity.
  • They cannot be clone targets for customer or partner production or non-production instances.
  • They cannot be interlinked via team development to customer or partner non-production instances since they belong to ServiceNow.
  • They are prevented from making applications available to other instances or publishing applications to the ServiceNow Store.
  1. After that you can choose which version you want. We will use latest release which is Jakarta.


  1. Your credentials and URL unique to your instance will be show next

  1. Login with this password and change it as requested


  1. After that your instance is ready
  2. Then create a user. User must be “Active”. Here we create a user named “linuxadmin”.

  1. Then find this user named “Linux Administrators” with user ID of “linuxadmin”. Click on that user scroll down and edit “Roles” . This user will be the user tickets will be assigned to.

  1. We define user roles. In our documentation this user must have roles of

admin

OR

itil_admin

itil

mid_server

For ease of use we will use “admin” role for now.

  1. After completing required steps in ServiceNow. It is time to go to InsightVM and create a ticketing connection and then Remediation Project. For creating ticketing connection you need URL of your ServiceNow ITSM Instance

Click on “Add a ticketing connection”. Choose Service now and click “Configure”

  1. Enter details for connection. URL is your instance’s URL. After clicking “Save and Continue” It will take a while as if the authentication is successful it will fetch additional data for further screens.


  1. In this section we will make a Field Mapping between Service Now ITSM and InsightVM ticketing. On following screen if we see a ticket on state “Closed” or “Resolved” we will mark this ticket on InsightVM Project Remediations as “Awaiting Verification”. Thus a ticket can’t be closed on InsightVM if the scan of asset actually finds that vulnerability fixed. If system administrator thinks ticket falsely opened he can say “Canceled” then ticket will be in “Will Not Fix “ state.

  1. After that we choose a Project from available Projects at ServiceNow.

  1. Specify values to be set when tickets are created. The Syntax Help contains variables you can use to include remediation data on the tickets. Suggested default values have been provided.

  1. In this step, you can create rules for assigning automatically generated tickets to your team members based on factors like the ownership of assets and expertise of the assignees. The list of rules is set up in order of preference, and every ticket is assigned based on the first rule whose asset filter conditions are satisfied. If no rule is matched, the incident gets assigned to the Default Assignee. After adding a Rule Name and Default assignee. Click to New Rule

  1. After clicking new rule you add a new “assignment rule” based on criteria. In this window a rule for who a ticket will be assigned to, based on information from the remediation details. You will be able to create multiple rules, and set an order in which to apply them.

At step 22 we have created a default assignee that is if now matched rule is found than ticket will be assigned to “Default Assignee”. In this step (23) we can create multiple rules and it is matched by Priority (1 is the first one to match). So after applying two Assignment Rule like following if required you can add more Assignee Rules

  1. On above step we have finished “Manage Ticket Connection” It is now time to “Create a Project”

Below two Figures are for same screen “Create Remediation Project”. Below we assign Critical Vulnerabilities for an asset to linuxadmin which is an InsightVM User that has access to Linux Machines only.

At above Figure when you select “Automated Ticketing” and choose a project connection for newly discovered vulnerabilities tickets are created automatically on ServiceNow ITSM. When you first create this Remediation Project tickets are generated after a while on ServiceNow ITSM. It can take up to 1 hour at most to sync between InsightVM Remediation Projects and ServiceNow ITSM tickets.

  1. Now we have created our first Remediation Project. And Projects page of InsightVM is like this

  1. After tickets are created. When we click on first created Remediation Project we see following screen As you can see below tickets are created with

After clicking one of the Remediation Solutions we see ticket number for ServiceNow ITSM

  1. When we click ticket number on above we go to Service Now Instance

As you can see tickets is assigned to matching our Assignee criteria. This ticket is created with “In Progress” state.

  1. After that assigned user of ServiceNow patches this related machine

And gives input to related ServiceNow ITSM ticket.

On ServiceNow you must chose Closed state to actually close the ticket. If you select “Resolved” state you must again put it to “Closed” state to actually close it on ServiceNow.

  1. After closing ticket on ServiceNow it can take up to 30 minutes to sync between ServiceNow and InsightVM. When ticket is closed on ServiceNow as we defined it it becomes “Awaiting for Verification” on InsightVM Remediation Project. Only way a tickets gets closed is after a new scan actually finds out the patch was applied. You can see this ticket state in following screen

  1. After a Scan for this asset if Scan finds that this package is updated ticket gets closed. Before tickets is closed we can change its status to either “Open” or to “Will Not Fix” on InsightVM

  1. After a successful scan ticket status becomes “Closed”