Fixes to ServiceNow Incidents
Workflow #0053
This workflow fetches all Kenna vulnerabilities for a given asset group and creates a ServiceNow ticket for each unique asset with vulnerabilities and fixes available.
Note: By default, this workflow is configured to create a maximum of 100 ServiceNow incident tickets per execution. You can change this using the Ticket Limit
local variable.
Change Log
Date | Notes |
---|---|
Dec 16, 2021 | - Initial release |
Jan 24, 2022 | - Updated to end successfully if the ticket limit is reached, as opposed to ending and failing |
Feb 10, 2022 | - Updated the default values for the ServiceNow User ID and Ticket Limit local variables |
Mar 10, 2022 | - Updated to support the external_identifier that’s now required by the Kenna API |
Sep 7, 2022 | - Minor updates to naming and descriptions |
See the Important Notes page for more information about updating workflows
Requirements
- The following system atomics are used by this workflow:
- None
- The following atomic actions must be imported before you can import this workflow:
- ServiceNow - Create Incident (CiscoSecurity_Atomics)
- The targets and account keys listed at the bottom of the page
- Kenna Security
- ServiceNow
Workflow Steps
- Make sure the required inputs were provided
- Fetch global variables
- Get a list of assets for the risk meter group and read them to a table
- Check if assets were found:
- If not, end the workflow
- If so, loop through each asset:
- If the ticket limit has been reached, end the workflow
- Get fixes for the asset
- Get vulnerabilities for the asset (where a fix is available, a due date is set, and there’s no ServiceNow ticket association)
- Parse vulnerabilities and fixes into text for ServiceNow
- Create a ServiceNow incident
- Update the vulnerabilities in Kenna with the ServiceNow ticket
Configuration
- Add your Kenna API token to the
API Token
local variable (or, if you have an API key in a global variable already, set the local variable to the global’s value using theFetch Global Variables
group at the beginning of the workflow) - Set the
Kenna Instance URL
local variable to the URL of your Kenna instance (for example:customer.kennasecurity.com
) - Set the
Risk Meter Group ID
local variable to the ID of the risk meter group you want the workflow to process. You can get this by viewing the group in your Kenna console and looking at the page URL. The group ID should be aftersearch_id=
. For example, in this URL the group ID is 123456:/explore?search_id=123456&name=....
- Set the
Risk Score Threshold
local variable to the minimum risk score you want the workflow to process. Anything with a risk score less than this value will be ignored - Set the
ServiceNow User ID
local variable to the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user - (Optional) Update the
Ticket Limit
local variable with the maximum number of ServiceNow tickets you want the workflow to create per execution - By default, this workflow will not run automatically. Click here to learn about scheduling it to run on its own
Targets
Target Group: Default TargetGroup
Target Name | Type | Details | Account Keys | Notes |
---|---|---|---|---|
Kenna_Target | HTTP Endpoint | Protocol: HTTPS Host: api.kennasecurity.com Path: None | None | |
ServiceNow | HTTP Endpoint | Protocol: HTTPS Host: <instance>.service-now.com Path: /api | ServiceNow_Credentials | Be sure to use your instance URL |
Account Keys
Account Key Name | Type | Details | Notes |
---|---|---|---|
ServiceNow_Credentials | HTTP Basic Authentication | Username: ServiceNow User ID Password: ServiceNow Password |