Link Search Menu Expand Document

CVE Hunt to ServiceNow Incident

Workflow #0009

This workflow uses Orbital to look for endpoints that are vulnerable for a given CVE. For demonstration purposes we use CVE-2020-0796 which has been added to Orbital as a catalog query. After the Orbital query is executed, we open a ServiceNow incident with the results.

Overview GitHub


Requirements


Workflow Steps

  1. Get an API token for Orbital
  2. Execute a catalog query for all endpoints using Orbital
  3. Fetch the results of the Orbital query
  4. Iterate through each result and build a table of vulnerable/not-vulnerable endpoints
  5. Assemble the text for the ServiceNow incident
  6. Create the ServiceNow incident ticket

Configuration

  • If you want the workflow to run on a schedule, you need to create a schedule and then add it as a trigger within the workflow
  • Update the ServiceNow User ID local variable with the username you want incidents opened as. This can either match the username in your ServiceNow Account Key or, if the account has the appropriate permissions, can be a different user
  • Update the ServiceNow - Create Incident activity towards the end of the workflow with any changes to the ticket properties you want

Targets

Target Group: Default TargetGroup

Target Name Type Details Account Keys Notes
Orbital_For_Access_Token HTTP Endpoint Protocol: HTTPS
Host: visibility.amp.cisco.com
Path: /iroh
Orbital_Credentials Created by default
Orbital_Target HTTP Endpoint Protocol: HTTPS
Host: orbital.amp.cisco.com
Path: /v0
None Created by default
ServiceNow HTTP Endpoint Protocol: HTTPS
Host: <instance>.service-now.com
Path: /api
ServiceNow_Credentials Be sure to use your instance URL

Account Keys

Account Key Name Type Details Notes
Orbital_Credentials HTTP Basic Authentication Username: Client ID
Password: Client Secret
Created by default
ServiceNow_Credentials HTTP Basic Authentication Username: ServiceNow User ID
Password: ServiceNow Password