ASM ServiceNow Integration

🚧

Special privileges required

This feature is only available to ASM administrators.

ServiceNow is an automated cloud workflow solution. Using the Attack Surface Management (ASM) integration, you can create enterprise workflow applications to track ASM Issues. This way, you can synchronize issue management between ServiceNow and ASM; reflecting status changes and remediation progress in both products.

This integration provides interaction with ServiceNow Vulnerability Response only. The integration collects Issues from ASM and maps them to the ServiceNow data model. This lets you work with Issues detected in ASM and follow your workflow using the ServiceNow interface.

ℹ️

This integration is bidirectional. Updates made in ServiceNow are seen in ASM just as updates made to Issues in ASM are visible in ServiceNow.

Integration configuration

Get and install the Mandiant Advantage Attack Surface Management Integration from the ServiceNow Store. Then, follow these steps in ServiceNow:

  1. Navigate to Security Operations > Integrations > Integration Configurations.

  2. Click Configure for the Mandiant Advantage Attack Surface Management integration.

  3. Enter the integration parameters:

    • API Base URL defaults to http://www.virustotal.com/api/v3/asm.

    • ASM Access Key and Secret Key are available in API Keys section of ASM Account Settings.

    • (Optional) Select to Include Potential Issues if you'd like to include unconfirmed Issues.

    • Enter a value to define the Minimum Severity of Issues to import:

      • 1 = Critical
      • 2 = High
      • 3 = Medium (suggested)
      • 4 = Low
      • 5 = Informational
    • Enter a numeric value for the Initial Lookback Days setting. The default is 90.

      ℹ️

      This setting only applies to the first run of the scheduled import job. Subsequent runs are performed on an incremental basis as defined in the Vulnerable Item Import page of ServiceNow.

    • Enter a string value representing the Project ID that you want to access.

      ℹ️

      To identify a project_id, run the following curl command:

      curl --location --request GET 'https:\
      ///api/v1/projects' \
      --header 'INTRIGUE_ACCESS_KEY: {<span>{intrigue_access_key}</span>}' \
      --header 'INTRIGUE_SECRET_KEY: {<span>{intrigue_secret_key}</span>}'
      

      For more information, see Attack Surface Management API.

  4. Click Submit.

  1. Navigate to Mandiant ASM > Projects and Collections and select the Collections to be imported.

ℹ️

Collections must all be from the same Project.

  1. Ensure you are in the CMDB CI Class Models application. Search for sys_choice.list in the Search field. Add three new Choices as follows:

    1. Table: Allocated IP Address [cmdb_ci_allocated_ip_address]

        **Element**: `discovery_source`
      
        **Label**: `VR-MandiantASM`
      
        **Value**: `VR-MandiantASM`
      
    2. Table: Unique Certificate [cmdb_ci_certificate]

        **Element**: `discovery_source`
      
        **Label**: `VR-MandiantASM`
      
        **Value**: `VR-MandiantASM`
      
    3. Table: DNS Name [cmdb_ci_dns_name]

      Element: discovery_source

      Label: VR-MandiantASM

      Value: VR-MandiantASM

  1. Navigate to Mandiant ASM > Vulnerable Item Import and define the schedule you want to use. The default is six hours.
  1. Click Update. Alternatively, click Execute Now if you want to run the job immediately. 

Vulnerable Items in ServiceNow

Once integrated, you can view Vulnerable Items in ServiceNow:

To display more details and perform actions on an item, select a Vulnerable Item from the list.

Troubleshooting Tips

To view application logs:

  • In ServiceNow, open a failed Project and Collections import.
  • Open the Notes tab.
  • Review the logs.

To force an import using the original Lookback Days setting:

  • In ServiceNow, search for the x_mandi_asm_mandiant_attack_surface_management_integration.list page.
  • To reset the job last run date and force an update, manually clear the Download Issues Since field.

The next time the job runs, the original Lookback Days setting is used as the start date.

ASM ServiceNow Field Mapping

ASM FieldServiceNow TableServiceNow Field
confidenceVulnerable Item DetectionConfirmed
summary/status_newVulnerable Item DetectionSource status
idVulnerable Item DetectionVulnerable Item/external_id
details/proofVulnerable Item DetectionProof
nameVulnerable Item DetectionSolution/source_id
identifiers/nameVulnerable Item DetectionVulnerability
details/nameVulnerable Item DetectionVulnerability
summary/statusVulnerable Item DetectionStatus
first_seenVulnerable Item DetectionFirst found
details/remediationVulnerable Item DetectionSolution summary
last_seenVulnerable Item DetectionLast found
display_nameMandiant ASM Projects and Collections ConfigurationDisplay Name
project_nameMandiant ASM Projects and Collections ConfigurationProject Name
collection_idMandiant ASM Projects and Collections ConfigurationCollection ID
collection_nameMandiant ASM Projects and Collections ConfigurationCollection Name
project_idMandiant ASM Projects and Collections ConfigurationProject ID
details/remediationNational Vulnerability Database EntrySolution
details/categoryNational Vulnerability Database EntryClassification
identifiers/nameNational Vulnerability Database EntryID
details/pretty_nameNational Vulnerability Database EntryName
details/severityNational Vulnerability Database EntrySource Severity
details/descriptionNational Vulnerability Database EntryThreat
details/severityNational Vulnerability Database EntryNormalized Severity
details/addedNational Vulnerability Database EntryDate Published
details/pretty_nameNational Vulnerability Database EntrySummary
details/descriptionNational Vulnerability Database EntrySummary
details/vendorThird Party Vulnerability EntryVendor
details/addedThird Party Vulnerability EntryDate Published
details/pretty_nameThird Party Vulnerability EntrySummary
details/descriptionThird Party Vulnerability EntrySummary
nameThird Party Vulnerability EntryPreferred Solution
details/nameThird Party Vulnerability EntryID
details/severityThird Party Vulnerability EntrySource Severity
details/remediationThird Party Vulnerability EntrySolution
details/severityThird Party Vulnerability EntryNormalized Severity
details/categoryThird Party Vulnerability EntryCategory
details/descriptionThird Party Vulnerability EntryThreat
categoryThird Party Vulnerability EntryClassification
details/descriptionThird Party Vulnerability EntryName
details/remediationVulnerability SolutionDescription
nameVulnerability SolutionSource ID
descriptionVulnerable ItemDescription
idVulnerable ItemExternal ID
statusVulnerable ItemStatus
summary/pretty_nameVulnerable ItemShort Description
identifiers/nameVulnerable ItemVulnerability
details/nameVulnerable ItemVulnerability
summary/statusVulnerable ItemState