Results

Rapid7 Inc.

01/17/2020 | News release | Distributed by Public on 01/17/2020 09:37

How to Get Started with the InsightVM Integration for ServiceNow CMDB

Rapid7 is excited to announce the release of a new ServiceNow Platform application for InsightVM with the ServiceNow CMDB. The application is a multi-featured offering available on the ServiceNow Store as an application for the ServiceNow Platform. Integrations provided by the application at release include:

  • InsightVM Asset Tagging: Create/update InsightVM tags and tagged assets based on ServiceNow CMDB CI (Configuration Item) data.
  • ServiceNow Asset Import: Import assets discovered by InsightVM into the ServiceNow CMDB, along with risk- and vulnerability-related metrics.
  • InsightVM Site Configuration: Create/update InsightVM sites and site scopes based on ServiceNow CMDB CI data.

One of the most exciting aspects of this application is how quickly you can get started with it. In addition, it is possible to implement each of the three integrations independently of one another. If you only want to implement Asset Tagging to begin with, the Site Configuration and Asset Import functionality will not be enabled. Before we go over installation and setup of the application, let's take a moment to dive into a few potential use cases.

Use cases

Asset inventory, configuration management, and vulnerability risk management go hand in hand, especially when considering the CIS Critical Security Controls, in which the first three controls pertain specifically to these organizational programs. The InsightVM Integration for ServiceNow CMDB was designed to improve your team's capability to address these controls.

Over the three posts in this series, we'll be walking through three use cases related to integrating asset, configuration, and vulnerability risk management program data. There are, of course, plenty of other ways in which to use the InsightVM Integration for ServiceNow CMDB; however, these three use cases should provide enough of a foundation to get your gears spinning on how you can best utilize this application within your organization. This first post will be related to improving InsightVM reporting and remediation capabilities based on ServiceNow CMDB data. Later in this series, we will discuss gaining visibility into known/unknown assets within the ServiceNow CMDB and performing targeted scanning to assist remediation teams with timely verification of their remediation efforts.

InsightVM Asset Tagging: Communicate risk to the right teams

In many organizations, remediation of vulnerabilities discovered by InsightVM is driven by asset and application ownership. Who is responsible for the asset or application where a vulnerability was discovered? There are often a multitude of teams within an organization, and ensuring the appropriate team is notified regarding discovered vulnerabilities is crucial to timely remediation.

The ServiceNow CMDB is commonly the source of truth for organizations, not only from an asset and application standpoint, but also from a business context perspective. Characteristics such as owner, location, and other key data points are stored in the ServiceNow CMDB, and there is usually a process defined for keeping this information current. With vulnerability data existing in InsightVM, but business context information existing in ServiceNow, it can be difficult to ensure that risk is being communicated to the appropriate teams. This can lead to a situation where the vulnerability risk management team is passing vulnerability and remediation details back and forth with teams until everyone has the details for the assets and applications for which they are responsible.

Perhaps this is still a very manual process for your organization, or, if a process does exist, it involves custom tooling that needs to be monitored and managed. In our walkthrough of the InsightVM Asset Tagging integration component of the InsightVM Integration for ServiceNow CMDB, we'll lay out an end-to-end workflow for adding business context into InsightVM by creating tags based on CMDB data and using those tags to drive targeted reporting and remediation using InsightVM's Reporting, Remediation Projects, and Goals and SLAs capabilities.

Initial setup

If you have yet to get the application installed and set up, check out our documentation for detailed instructions on how to get started.

The documentation includes details on getting the application installed, the Configuration Management for Scoped Apps CMDB (com.snc.cmdb.scoped) plugin for ServiceNow installed on your instance, creating the discovery source for the application, and setting up an InsightVM Connection in the application to allow each integration to communicate with your Security Console(s).

In order to use the application, you will need to be a ServiceNow admin, or have one of the roles provided by the application assigned to your user:

Role Description
x_r7_rapid7_cmdb_i.integration_admin Access to all application modules
x_r7_rapid7_cmdb_i.asset_tagging_user Access to all InsightVM Asset Tagging integration modules
x_r7_rapid7_cmdb_i.asset_import_user Access to all ServiceNow Asset Import integration modules
x_r7_rapid7_cmdb_i Access to all InsightVM Site Configuration integration modules

InsightVM Asset Tagging Integration

Overview

The InsightVM Asset Tagging integration is a great way to add business context from your ServiceNow CMDB CI records to assets within InsightVM. Using Tag Name Maps, you can specify the CI fields from which tag names should be created. These tags can be used to support any tag-related workflow that your team may already have developed for your vulnerability risk management program, along with a multitude of other ways.

For our walkthrough of this integration, we'll use the data in the ServiceNow CMDB to create tags that can be used for scoping Remediation Projects in conjunction with the ServiceNow ITSM integration provided by InsightVM to create scoped ServiceNow Incidents.

Let's get started.

Walkthrough

From the Rapid7 InsightVM Integration for CMDB menu inServiceNow, you'll find three submodules specific to the InsightVM Asset Tagging integration:

  1. Jobs
  2. Tag Name Maps
  3. Run Statistics

Jobs are the main configuration interface, providing the capability to configure the schedule on which the integration will run, job level configuration including the prefix for tags created and managed by the integration, and the scope of InsightVM assets to which tags should be added. We'll dive into each of these a bit later.

Tag Name Maps provide the capability to define configuration for tags which should be created. This includes the table and field from which ServiceNow CI data will be gathered to determine the tag names to be created/updated, as well as the assets to which the tags should be associated. In addition, the fields which should be used to correlate InsightVM assets with ServiceNow CIs can be configured.

Run Statistics provide high-level statistics for each integration run, including the following statistics:

  • Tags Created
  • Tags Updated
  • Tags Deleted
  • Total Assets Tagged
  • Unmatched Assets (those for which no matching CIs were identified)

Throughout this walkthrough, we'll cover each of these in-depth, including creation of the job configuration, running the job, reviewing job logs and statistics, and reviewing the results. We'll also cover our use case for the tags, creating scoped InsightVM Remediation Projects.

Creating a new job configuration

The first step in getting started with the InsightVM Asset Tagging integration is to create an integration job. As stated previously, this is what allows for the job to be scheduled and for configuration of tags to be created/updated by the job. We'll begin by navigating to the Rapid7 InsightVM Integration for CMDB -> InsightVM Asset Tagging -> Jobsmodule and clicking New to create a new job configuration. From here, let's look at an example of the completed form.

Let's review each of the fields/sections in the above images:

Field Description
Name A user-friendly name for the configuration
InsightVM Connection Details for the InsightVM Security Console on which tags will be created/updated by the integration
Tag Name Prefix A prefix to add to all tags managed by the integration. This is required to help prevent the integration from modifying tags which it did not create
Tag Name Maps Provide the actual configuration for tags that will be created and managed. These can be shared across multiple configurations if you have multiple InsightVM Security Consoles or need separate configurations for a different reason.
Delete Empty Tags Provides cleanup capability for tags that no longer have associated assets
InsightVM Scope Allows for limiting the scope of assets for which CI lookups are performed based on asset group, site, and tag name regular expression patterns
Schedule Provides scheduling configuration for the job allowing for it to be run on a specified interval

The application includes the four Tag Name Maps in the first form image to help with getting started with the application. We'll use these in our example for this post, so if you're following along, go ahead and add these to your job configuration and save it. Before we execute the job, we'll walk through Tag Name Maps in more detail.

Tag Name Maps

As we saw in the prior form images, Tag Name Maps are added to the main integration job configuration to define the tags created and managed by the integration. The names of these maps are dynamically generated based on the values selected for the map. The format is as follows: [CMDB table].[CMDB CI Field]:[tag type]. By going to the Rapid7 InsightVM Integration for CMDB -> InsightVM Asset Tagging -> Tag Name Maps module, a new map can be configured to better illustrate this.

After navigating to this module, click on New to create a new map. The form will look similar to the following image:

Details for each of the form fields above are as follows:

Field Description
Table and Filter Allow for specifying the cmdb_ci table on which lookups will be performed for the tag and an optional filter for those records
Field The CI field from which data for the tag will be gathered for each matching CI. The value in this field is used for the tag name
Type The type for the created/managed tag
Lookup Fields and associated options The list of fields used to match InsightVM assets to ServiceNow CMDB CIs

Feel free to add your own Tag Name Maps to suit your organization's workflows. For our walkthrough, we'll use the ones provided.

Now that we've covered our bases with configuring InsightVM Asset Tagging integration job configurations, we can run the job.

Running a job

Jobs can be run on the defined schedule in the job configuration or on demand by going to the job record and clicking the Execute Now button. The Active column value for a job record is a link to view the record details, so you can edit or execute the job by clicking on the link.

There are two things to note when running this integration:

  1. CI matches will need to be found for the InsightVM assets in scope. If there are no matches, no tags will be created. Unmatched assets are logged in the Run Statistics module for easy identification of the count of unmatched assets. There may be some unmatched assets during normal runs; however, high counts may be indicative of issues related to the configuration Tag Name Maps, so keep that in mind while validating the configuration for an InsightVM Asset Tagging job.
  2. If the CIs do not have data in the columns specified in the Tag Name Maps no tags will be created.

Reviewing results

Demo Data

In the environment for this walkthrough, the following CIs were present:

The InsightVM Security Console had the following assets:

Prior to running the integration, all other tags were deleted from the console so that only the built-in criticality tags existed:

Run Results

The results from the run are as follows:

List of created tags:

Reviewing the tags, you'll find multiple that were created with the 'sn_' prefix:

Tag Details
sn_Linux Server Created from the Class field
sn_Illinois, sn_Michigan, sn_Texas Created from the Location.name field
sn_Tyler Schmidtke Created from the Owned By.name field

Example tagged asset:

InsightVM Asset Tagging integration Run Statistics:

Reviewing Logs

Before we get started, it's important to note that one of the following built-in ServiceNow user roles are required to view the Logs module in the application as log details are written to the ServiceNow System Log:

  • admin
  • workflow_admin

With the correct permissions, the Logs module is available within the Rapid7 InsightVM Integration for CMDB -> Diagnostics -> Logs menu to provide additional details related to job executions. The InsightVM Asset Tagging integration provides quite a few details in the logs to assist with configuration validation and troubleshooting. Some of these include the following:

  • Integration start
  • InsightVM report generation and download process
  • Tag create/update/delete operations
  • Integration end

In addition to normal operation logging, errors and warnings are also logged. Errors and warnings are not expected during normal operation, so if there are messages of this level in the log, there could potentially be an issue with the configuration or connectivity to the InsightVM Security Console. The documentation for the integration provides more details on troubleshooting possible errors.

An example of the logs provided by the integration are as follows:

Creating a scoped remediation project

Now that some tag associations have been created by the integration, we can use these tags for scoping InsightVM Remediation Projects and even integrate it with the ServiceNow ITSM integration provided by Remediation Projects. We'll begin by logging into our security console and going to the Projects tab in the left menu. From the Projects interface, a new project can be created using one of our new tags:

Additionally, if there is a ServiceNow Ticketing connection configured (documentation), the project can be configured to generate ServiceNow incidents based on this tag; and we can ensure that the incident is assigned to the proper owner by scoping it with the new owner tag:

In conclusion

Now that you have a good foundation for getting started with the new Rapid7 InsightVM Integration for ServiceNow CMDB, it's time to get the application installed so it can help assist in your vulnerability risk management program. Stay tuned for parts two and three in this series, in which we'll walk through use cases for the ServiceNow Asset Import and InsightVM Site Configuration functionality provided by this application.