Integrating with IT workflows

When you integrate Integrity Monitor with IT workflows in ServiceNow Change Management, Integrity Monitor can automatically label events based on change requests or change tasks in ServiceNow, which lets you determine which events are authorized and filter out events within authorized change windows.

You can have only one integration configured at a time.

Integrating with ServiceNow Change Management

You can configure Integrity Monitor to synchronize change requests and/or change tasks in ServiceNow Change Management to determine authorized change windows for specific Tanium endpoints (which are synchronized with ServiceNow configuration items). For events that occur on endpoints mapped to those configuration items during an authorized change window, Integrity Monitor automatically applies the ServiceNow label and the ID of the change request and/or change task from ServiceNow.

Work with your Technical Account Manager (TAM) during this process to help successfully integrate Integrity Monitor with your specific change management workflow in ServiceNow.

Before you begin

  • You must be using the ServiceNow Madrid release or later.
  • Endpoints must be defined in ServiceNow as configuration items (CIs). One method to do this is exporting data from Tanium Asset to your ServiceNow CMDB. For more information, see Tanium Asset User Guide: Exporting data to destinations.

Create the integration and specify details

  1. From the Integrity Monitor home page, click Settings , and then click the Integrations tab.
  2. Click Create Integration.
  3. In the Summary section, enter a name for the integration and set the log verbosity to record for this integration.

Configure and establish the connection to ServiceNow

  1. In the Destination section, enter the URL of your ServiceNow instance.
  2. Enter the user name and password for a ServiceNow account that has read privileges to query Change Management and CMDB data.
  3. Click Establish Connection.

Configure ServiceNow mappings

Integrity Monitor uses the statuses of Open, Closed, and Canceled to manage authorized change windows.

You must map these statuses to the states used in your ServiceNow change requests and change tasks. Additionally, you must map the attributes that identify an endpoint in ServiceNow to the appropriate Integrity Monitor sensors.

  1. In the Mapping Type section, select whether to synchronize change requests, change tasks, or both with ServiceNow to define authorized change windows.
  2. In the Change Requests section, map the Integrity Monitor Statuses to the appropriate ServiceNow states.
    • For each Integrity Monitor status, select an available ServiceNow state.
    • To add an additional mapping for a specific Integrity Monitor status, click in an existing row that contains that status.

      You must have at least one ServiceNow state mapped to each Integrity Monitor status.

  3. In the Change Tasks section, map the Integrity Monitor Statuses to the appropriate ServiceNow states.
  4. From the Task Types list, select the task types that you want to use to define authorized change windows.
  5. In the Endpoints section, select a ServiceNow attribute that helps identify an endpoint, and select the corresponding Integrity Monitor sensor.

    To add an additional attribute to help identify endpoints, click beside a row.

Configure the schedules to synchronize data with ServiceNow

To enable the integration, you must enable and configure schedules to synchronize change data from ServiceNow.

  1. In the Schedule section, select Sync this mapping on a defined schedule.
  2. Configure the ServiceNow Sync schedule, which determines when the Tanium server synchronizes change windows from ServiceNow, maps configuration items from ServiceNow to Tanium endpoints, and generates rules.
  3. Configure the Tanium Endpoint Sync schedule, which when the Tanium server gathers identification data from endpoints. This synchronization should be more frequent than the ServiceNow synchronization. The data is synchronized with ServiceNow during the following ServiceNow synchronization.
  4. Configure the remaining advanced settings as necessary.

    Setting Description
    Request Timeout The time in seconds that Integrity Monitor waits for a response from ServiceNow. Valid values range from 30 to 180 seconds.
    Batch Size The number of records to request from ServiceNow at one time. Valid values range from 500 to 10000 records.
    Look Back Days / Look Ahead Days The number of days into the past and future for which Integrity Monitor should synchronize change requests or change tasks. Valid values range from 1 to 14 days.
    Concurrent Requests The number of concurrent requests to submit to ServiceNow. A lower value might lessen the performance impact on your ServiceNow instance. Valid values range from 1 to 8 requests.
    Distribute Rules Over The number of minutes over which the Tanium server should distribute the automatically generated rules that apply the ServiceNow label. The distribution is randomized over the specified duration to avoid spikes in network or other resource utilization. Valid values range from 5 to 30 minutes.
    Change Window Extension The number of hours to extend the beginning and end of a change window determined from ServiceNow. The ServiceNow label is still applied during this extended time. Changing this value affects only newly synchronized change windows; any existing change windows keep the extended time that was configured when they were first synchronized. Valid values range from 1 to 24 hours.
    Additional Lifetime Before Pruning Open Requests

    The number of additional days to keep records of previously synchronized open change requests or change tasks before they are pruned from the database. Open change requests and change tasks are kept longer than other change states to account for label updates that might be needed due to updates in the change window, which can occur if an open change is overdue.

    A higher value for this setting can significantly increase the size of the database, which might affect performance. A lower value reduces the size of the database, but if you exceed this time plus the look back days before adjusting the dates of the change request or change task in ServiceNow, events might be labeled according to rules for multiple change windows.

    Valid values range from 1 to 60 days.

Manage authorized events

ServiceNow change requests or tasks with an Open state

When Integrity Monitor synchronizes data with ServiceNow, it determines authorized change windows from change requests and/or change tasks with a state that you mapped to the Open status during configuration.

Integrity Monitor applies the ServiceNow label to events that fall within these authorized change windows on associated Tanium endpoints.

ServiceNow change requests or tasks with a Closed state

For change requests or change tasks with a ServiceNow state that you have mapped to the Closed status, Integrity Monitor no longer applies the ServiceNow label to associated events.

ServiceNow change requests or tasks with a Canceled state

For change requests or change tasks with a ServiceNow state that you have mapped to the Canceled status, Integrity Monitor removes the ServiceNow label from associated events if it has previously been applied.

Review events

When viewing events, you can apply a filter to include only events that do not contain the ServiceNow label. The resulting list of events then includes only those that are not associated with approved changes in ServiceNow Change Management. For more information about viewing events, see Working with events. For more information about filtering question results, see Tanium Intreract User Guide: Filter question results.

Additionally, you can ask questions in Tanium Interact that include the sensors that use enhanced labeling:

  • Integrity Monitor Labeled File Events Details: This sensor contains the same columns as the Integrity Monitor File Events Details sensor, but it returns only events that have labels applied.
  • Integrity Monitor Unlabeled File Events Overview: This sensor contains the same columns as the Integrity Monitor File Events Overview sensor, but it returns only events that have labels applied.
  • Integrity Monitor Unlabeled File Events Details: This sensor contains the same columns as the Integrity Monitor File Events Details sensor, but it returns only events that do not have labels applied.

When you review events with the ServiceNow label, you can use the change request or change task from the ID of the event to locate the associated change request or change task in ServiceNow Change Management.