ServiceNow Integration

Steps to Integrate

Step 1: Create a Trigger for ServiceNow

• Visit the Webhooks page in AIR,

• Click the "+ New Webhook" button in the upper right corner,

• Provide a self-explanatory name (examples: RDP Brute Force Trigger, Phishing Detected Trigger, etc.),

• Select "ServiceNow: Generic ServiceNOW Webhook Parser" as the parser for this webhook,

• Select an Acquisition Profile when ServiceNow activates this webhook,

• Select the Ignore option or leave with its default value (defaults to 24 hours for recurrent alerts for a single endpoint),

• Provide other settings such as Evidence Repository, CPU Limit, Compression & Encryption to use or let AIR configure them automatically based on the matching policy,

• Click the "Save" button,

• Hover your mouse over the link below the Webhook name and double-click to copy.

Step 2: Creating the Integration Settings in ServiceNow

• Open the Business Rules under the System Definitions and click New,

• Give your new Business Rule a descriptive name, choose the table you want it to trigger on, and check the Advanced box.

• Under the option: When, choose after. You can use various conditions and filtering functions accordingly.

• Click the Advanced Tab and paste the following script. Change the 5th line <insert webhook URL> with the webhook link you copied in Step 1.

• Copy

  (function executeRule(current, previous /*null when async*/) {
      try {
          var r = new sn_ws.RESTMessageV2();
  	// paste related webhook url below
          var airwebhookurl = "<insert webhook URL>";
          //defining the hostname of endpoint or ip
          var endpointIP = current.getValue("hostname");     
  
          r.setRequestHeader("Content-Type","application/json");
          r.setHttpMethod("post");
          r.setStringParameter("baseUrl",airwebhookurl);
  
          var obj = {
              "endpoint": endpointIP
          };
  		
          var body = JSON.stringify(obj);
          r.setRequestBody(body);
  
          var response = r.execute();
          var httpStatus = response.getStatusCode();
          if(httpStatus==200) {
              gs.info("Webhook target HTTP status response: " + httpStatus);
              return httpStatus;
          } else {
              gs.log(response.getErrorCode()+"---"+response.getErrorMessage());
              return httpStatus;
          }
  
      } catch (ex) {
          var message = ex.message;
  		gs.error("Error message: " + message);
      }
  
      gs.info("Webhook target HTTP status response: " + httpStatus);
  
  })(current, previous);

• Click Submit on the top right.

Step 3: Testing the business rule.

Once you have set up the webhook, you can test the business rule based on the triggering conditions. Check the response body for the data being sent from ServiceNow.