Integrating with IT workflows in ServiceNow

When you integrate Integrity Monitor with IT workflows in ServiceNow Change Management, Integrity Monitor can automatically label events based on change requests or change tasks in ServiceNow. You can then determine which events are authorized and filter out events within authorized change windows.

You can also automatically create incidents in ServiceNow Incident Management for unexpected events by using inbound email actions in ServiceNow and an email destination in Connect. For more information, see Create incidents for unlabeled events in ServiceNow Incident Management.

You can configure Integrity Monitor to synchronize change requests, change tasks, or both. The change requests or change tasks determine the authorized change windows for specific Tanium endpoints (which are synchronized with ServiceNow configuration items). For events that occur on endpoints that are mapped to those configuration items during an authorized change window, Integrity Monitor automatically applies the ServiceNow label and records the ID of the change request or change task from ServiceNow.

Before you begin

Requirements

• ServiceNow Madrid release or later.
• The host URL of your ServiceNow instance must be added to the approved list by Tanium. Contact Tanium Support to request approval.
• Endpoints must be defined in ServiceNow as configuration items (CIs). One method to create configuration items for endpoints is by exporting data from Tanium™ Asset to your ServiceNow CMDB. For more information, see Tanium Asset User Guide: Exporting data to destinations.
• Your ServiceNow account must be configured with the appropriate permissions. For more information, see ServiceNow permissions required for least-privilege access (subsequent section).

ServiceNow permissions required for least-privilege access

Tanium Client Management must have the following access for integration with ServiceNow. For specific configuration in ServiceNow, work with your ServiceNow administrator, and consult the ServiceNow Documentation.

Access control type	Operation	Name
REST_Endpoint	execute	/api/now/cmdb/meta1
record	read	change_request.end_date
record	read	change_request.number
record	read	change_request.start_date
record	read	change_request.state
record	read	change_request.sys_id
record	read	change_task.change_request
record	read	change_task.planned_end_date
record	read	change_task.planned_start_date
record	read	change_task.number
record	read	change_task.state
record	read	change_task.sys_id
record	read	cmdb_ci_hardware.sys_id
record	read	sys_choice.element
record	read	sys_choice.label
record	read	sys_choice.value
record	read	task_ci.ci_item
record	read	task_ci.task
1 Access to the CMDB Meta API typically requires the ITIL role, but you can explicitly grant it to another role for the purpose of Integrity Monitor access.

Configure the integration with ServiceNow

Specify the connection information

1. From the Integrity Monitor Overview page, click Settings , and then click the Integrations tab.
2. Click Create Integration.
3. In the Summary section, enter a Name for the integration.
4. In the Destination section, enter the Host URL of your ServiceNow instance.
5. Enter the User Name and Password for a ServiceNow account that has read privileges to query Change Management and CMDB data. To create a ServiceNow user with the minimum privileges necessary, see ServiceNow permissions required for least-privilege access.
6. Click Establish Connection.

Configure ServiceNow mappings

Integrity Monitor uses the statuses of Open, Closed, and Canceled to manage authorized change windows. You must map these statuses to the states used in your ServiceNow change requests and change tasks. You must also map the attributes that identify an endpoint in ServiceNow to the appropriate Integrity Monitor sensors.

1. For Create rules from, select Change Requests and Tasks, Change Requests, or Change Tasks. This setting determines whether authorized change windows are determined by ServiceNow change requests, change tasks, or both.

2. If you are mapping change requests, in the Change Requests section select the appropriate ServiceNow states for Open States, Closed States, and Canceled States. If you use the default change request states in ServiceNow, you can leave the default mapping in place.

   You must have at least one ServiceNow state selected for each Integrity Monitor status.

3. If you are mapping change tasks, in the Change Tasks section select the appropriate ServiceNow states for Open States, Closed States, and Canceled States. Select the ServiceNow Task Type to use to define authorized change windows.

   You must have at least one ServiceNow state selected for each Integrity Monitor status, and you must select at least one Task Type.

4. In the Endpoints section, select each Tanium Sensor to identify endpoints, and select the corresponding ServiceNow Attribute for each sensor. By default, the Computer Name and Computer Serial Number sensors are mapped to the Name and Serial Number ServiceNow attributes.

   To add more attribute mappings to help identify endpoints, click Add Mapping . To remove an attribute mapping, click Remove Mapping .

Configure the schedules to synchronize data with ServiceNow

To enable the integration, you must enable and configure schedules to synchronize change data from ServiceNow.

1. In the Schedule section, select Sync this mapping on a defined schedule.
2. Configure the ServiceNow Sync schedule, which determines when the Tanium Server synchronizes change windows from ServiceNow, maps configuration items from ServiceNow to Tanium endpoints, and generates rules.
3. Configure the Tanium Endpoint Sync Schedule, which determines when the Tanium Server gathers identification data from endpoints. For best results, this synchronization should be more frequent than the ServiceNow synchronization. The data is synchronized with ServiceNow during the following ServiceNow synchronization.

4. Configure the remaining advanced settings as necessary.

   Setting	Description
   Request Timeout	The time in seconds that Integrity Monitor waits for a response from ServiceNow. Valid values range from 30 to 180 seconds.
   Batch Size	The number of records to request from ServiceNow at one time. Valid values range from 500 to 10000 records.
   Look Back Days / Look Ahead Days	The number of days into the past and future for which Integrity Monitor should synchronize change requests or change tasks. Valid values range from 1 to 14 days.
   Concurrent Requests	The number of concurrent requests to submit to ServiceNow. A lower value might lessen the performance impact on your ServiceNow instance. Valid values range from 1 to 8 requests.
   Distribute Rules Over	The number of minutes over which the Tanium server should distribute the automatically generated rules that apply the ServiceNow label. The distribution is randomized over the specified duration to avoid spikes in network or other resource utilization. Valid values range from 5 to 30 minutes.
   Change Window Extension	The number of hours to extend the beginning and end of a change window determined from ServiceNow. The ServiceNow label is still applied during this extended time. Changing this value affects only newly synchronized change windows; any existing change windows keep the extended time that was configured when they were first synchronized. Valid values range from 1 to 24 hours.

Complete the configuration

After you configure the necessary settings, click Create.

ServiceNow rules deploy to endpoints on the next synchronization determined by the ServiceNow Sync schedule. If you enabled Endpoint Configuration approvals, ServiceNow rule deployment must be approved in Endpoint Configuration before ServiceNow rules deploy to endpoints. For more information about enabling and using configuration approvals in Endpoint Configuration, see Tanium Endpoint Configuration User Guide: Managing approvals.

Manage authorized events

ServiceNow change requests or tasks with an Open state

When Integrity Monitor synchronizes data with ServiceNow, it determines authorized change windows from change requests, change tasks, or both (depending on the settings) with a state that you mapped to the Open status during configuration.

Integrity Monitor applies the ServiceNow label to events that fall within these authorized change windows on associated Tanium endpoints.

ServiceNow change requests or tasks with a Closed state

For change requests or change tasks with a ServiceNow state that you have mapped to the Closed status, Integrity Monitor no longer applies the ServiceNow label to associated events.

ServiceNow change requests or tasks with a Canceled state

For change requests or change tasks with a ServiceNow state that you have mapped to the Canceled status, Integrity Monitor removes the ServiceNow label from associated events if it has previously been applied.

Review events

When you view events, you can apply a filter to include only events that do not contain the ServiceNow label. The resulting list of events then includes only those that are not associated with approved changes in ServiceNow Change Management. For more information about viewing events, see Viewing events. For more information about filtering question results, see Tanium Interact User Guide: Filter question results.

When you review events with the ServiceNow label, you can use the change request or change task from the ID of the event to locate the associated change request or change task in ServiceNow Change Management.