You can configure Lacework to forward alerts to ServiceNow using the ServiceNow REST API. Lacework requires a ServiceNow user name with either a web_service_admin, rest_api_explorer, or admin role.
For management and security purposes, Lacework recommends creating a dedicated Lacework-ServiceNow user. For more information, refer to ServiceNow documentation: REST API Reference.
After you create a ServiceNow user and password, return to the Lacework Console and complete the following steps:
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Navigate to Settings > Alert Routing > Alert Channels.
- Click + Create New.
- In the Channel Type drop-down, select ServiceNow and click Next.
- In the Name field, enter a name for the channel and click Next.
- From the Group Issues by drop-down, select one of the options:
- Events—Select this option if you want a single ServiceNow incident to be created when compliance events of the same type but from different resources are detected by Lacework. For example, if three different S3 resources are generating the same compliance event, only one ServiceNow incident is created.
- Resources—Select this option if you want multiple ServiceNow incident to be created when multiple resources are generating the same compliance event. For example, if three different S3 resources are generating the same compliance event, the ServiceNow incidents are created.
- In the User Name field, enter your ServiceNow user name.
- In the Password field, enter the password for the specified user name.
- In the Instance URL field, enter your ServiceNow instance URL.
- Optional—In the Custom Template File field, click Choose File to select a custom template file to populate values from a custom template JSON file. For more information, see the next section.
- Click Save.
- Click Alert Rules and configure your required alert routing details/options by leveraging the alert channel you created.
You should now start to receive Lacework alerts in the ServiceNow security incident response system.
Populate Values in New ServiceNow Incidents from a Custom Template
If you want the ServiceNow alert channel to populate fields in the new ServiceNow incidents with values from a custom template JSON file, you must create a custom template JSON file with the populated values and then specify that file when creating the ServiceNow alert channel in the Lacework Console. For example, if you want the new ServiceNow incidents created by the Lacework ServiceNow alert channel to preface the description with a string and set approval to Approved, specify the following in your custom template JSON file. (For the description property, the value specified in the custom template JSON is prepended to the value provided by the ServiceNow alert channel.)
{
"description" : "Generated by Lacework:",
"approval" : "Approved"
}
When creating the ServiceNow alert channel in the Lacework Console, you must also select the custom template file from the Custom Template File field.
For the field properties to specify in the JSON file, see the properties listed in the response of the POST /now/table/{tableName} ServiceNow REST API documentation. Do not set the properties that start with the sys_ string.
Create a Lacework Service Now Alert Channel Using Terraform
For organizations using Terraform to manage their environments, Lacework maintains the Terraform Provider for Lacework which enables configuration of Lacework Alert Channels using automation.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read through the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.
For a complete list of custom Terraform resources to manage alert channels in Lacework, see Managing Alert Channels with Terraform.
# Configure Service Now Alert Channel in Lacework
resource "lacework_alert_channel_service_now" "example" {
name = "Service Now Channel Alert Example"
instance_url = "snow-lacework.com"
username = "snow-user"
password = "snow-pass"
}
Additional information on the lacework_alert_channel_service_now resource can be found on the Terraform Registry.