Articles in this section

See more

ServiceNow

You can configure Lacework to forward alerts to ServiceNow using the ServiceNow REST API. Lacework requires a ServiceNow user name with either a web_service_admin, rest_api_explorer, or admin role.

For management and security purposes, Lacework recommends creating a dedicated Lacework-ServiceNow user. For more information, refer to ServiceNow documentation: REST API Reference.

After you create a ServiceNow user and password, return to the Lacework Console and complete the following steps:

  1. Log in to the Lacework Console with a Lacework user that has administrative privileges.
  2. Navigate to Settings > Alert Channels.
  3. Click + Create New.
  4. In the Channel Type drop-down, select ServiceNow and click Next
  5. In the Name field, enter a name for the channel and click Next
  6. From the Group Issues by drop-down, select one of the options:
    1. Events—Select this option if you want a single ServiceNow incident to be created when events of the same type but from different resources are detected by Lacework. For example, if three different S3 resources are generating the same event, only one ServiceNow incident is created.
    2. Resources—Select this option if you want multiple ServiceNow incident to be created when multiple resources are generating the same event. For example, if three different S3 resources are generating the same event, the ServiceNow incidents are created.
  7. In the User Name field, enter your ServiceNow user name.
  8. In the Password field, enter the password for the specified user name.
  9. In the Instance URL field, enter your ServiceNow instance URL.
  10. Optional—In the Custom Template File field, click Choose File to select a custom template file to populate values from a custom template JSON file. For more information, see the next section.
  11. Click Save.

You should now start to receive Lacework alerts in the ServiceNow security incident response system.

Populate Values in New ServiceNow Incidents from a Custom Template

If you want the ServiceNow alert channel to populate fields in the new ServiceNow incidents with values from a custom template JSON file, you must create a custom template JSON file with the populated values and then specify that file when creating the ServiceNow alert channel in the Lacework Console. For example, if you want the new ServiceNow incidents created by the Lacework ServiceNow alert channel to preface the description with a string and set approval to Approved, specify the following in your custom template JSON file. (For the description property, the value specified in the custom template JSON is prepended to the value provided by the ServiceNow alert channel.)

{
  "description" : "Generated by Lacework:",
  "approval" : "Approved"
}

When creating the ServiceNow alert channel in the Lacework Console, you must also select the custom template file from the Custom Template File field.

For the field properties to specify in the JSON file, see the properties listed in the response of the POST /now/table/{tableName} ServiceNow REST API documentation. Do not set the properties that start with the sys_ string.