Integrating with IT workflows

When you integrate Integrity Monitor with IT workflows in ServiceNow Change Management, Integrity Monitor can automatically label events based on change requests or change tasks in ServiceNow. You can then determine which events are authorized and filter out events within authorized change windows.

You can also automatically create incidents in ServiceNow Incident Management for unexpected events by using inbound email actions in ServiceNow and an email destination in Connect. For more information, see Create incidents for unlabeled events in ServiceNow Incident Management.

Integrating with ServiceNow Change Management

You can configure Integrity Monitor to synchronize change requests, change tasks, or both in ServiceNow Change Management. The change requests or change tasks determine the authorized change windows for specific Tanium endpoints (which are synchronized with ServiceNow configuration items). For events that occur on endpoints that are mapped to those configuration items during an authorized change window, Integrity Monitor automatically applies the ServiceNow label and records the ID of the change request or change task from ServiceNow.

Before you begin

  • You must be using the ServiceNow Madrid release or later.
  • The host URL of your ServiceNow instance must be added to the approved list by Tanium. Contact Tanium Support to request approval.
  • You must have endpoints defined in ServiceNow as configuration items (CIs). One method to create configuration items for endpoints is by exporting data from Taniumâ„¢ Asset to your ServiceNow CMDB. For more information, see Tanium Asset User Guide: Exporting data to destinations.

Create the integration and specify details

  1. From the Integrity Monitor Overview page, click Settings , and then click the Integrations tab.
  2. Click Create Integration.
  3. In the Summary section, enter a name for the integration.

Configure and establish the connection to ServiceNow

  1. In the Destination section, enter the Host URL of your ServiceNow instance.
  2. Enter the User Name and Password for a ServiceNow account that has read privileges to query Change Management and CMDB data.
  3. Click Establish Connection.

Configure ServiceNow mappings

Integrity Monitor uses the statuses of Open, Closed, and Canceled to manage authorized change windows. You must map these statuses to the states used in your ServiceNow change requests and change tasks. You must also map the attributes that identify an endpoint in ServiceNow to the appropriate Integrity Monitor sensors.

  1. For Create rules from, select Change Requests and Tasks, Change Requests, or Change Tasks. This setting determines whether authorized change windows are determined by ServiceNow change requests, change tasks, or both.
  2. If you are mapping change requests, then in the Change Requests section, select the appropriate ServiceNow states for Open States, Closed States, and Canceled States. If you use the default change request states in ServiceNow, you can leave the default mapping in place.

    You must have at least one ServiceNow state selected for each Integrity Monitor status.

  3. If you are mapping change tasks, then in the Change Tasks section, select the appropriate ServiceNow states for Open States, Closed States, and Canceled States. Select the ServiceNow Task Type to use to define authorized change windows.

    You must have at least one ServiceNow state selected for each Integrity Monitor status, and you must select at least one Task Type.

  4. In the Endpoints section, select each Tanium Sensor to identify endpoints, and select the corresponding ServiceNow Attribute for each sensor. By default, the Computer Name and Computer Serial Number sensors are mapped to the Name and Serial Number ServiceNow attributes.

    To add more attribute mappings to help identify endpoints, click Add Mapping . To remove an attribute mapping, click Remove Mapping .

Configure the schedules to synchronize data with ServiceNow

To enable the integration, you must enable and configure schedules to synchronize change data from ServiceNow.

  1. In the Schedule section, select Sync this mapping on a defined schedule.
  2. Configure the ServiceNow Sync schedule, which determines when the Tanium Server synchronizes change windows from ServiceNow, maps configuration items from ServiceNow to Tanium endpoints, and generates rules.
  3. Configure the Tanium Endpoint Sync schedule, which determines when the Tanium Server gathers identification data from endpoints. This synchronization should be more frequent than the ServiceNow synchronization. The data is synchronized with ServiceNow during the following ServiceNow synchronization.
  4. Configure the remaining advanced settings as necessary.

    Setting Description
    Request Timeout The time in seconds that Integrity Monitor waits for a response from ServiceNow. Valid values range from 30 to 180 seconds.
    Batch Size The number of records to request from ServiceNow at one time. Valid values range from 500 to 10000 records.
    Look Back Days / Look Ahead Days The number of days into the past and future for which Integrity Monitor should synchronize change requests or change tasks. Valid values range from 1 to 14 days.
    Concurrent Requests The number of concurrent requests to submit to ServiceNow. A lower value might lessen the performance impact on your ServiceNow instance. Valid values range from 1 to 8 requests.
    Distribute Rules Over The number of minutes over which the Tanium server should distribute the automatically generated rules that apply the ServiceNow label. The distribution is randomized over the specified duration to avoid spikes in network or other resource utilization. Valid values range from 5 to 30 minutes.
    Change Window Extension The number of hours to extend the beginning and end of a change window determined from ServiceNow. The ServiceNow label is still applied during this extended time. Changing this value affects only newly synchronized change windows; any existing change windows keep the extended time that was configured when they were first synchronized. Valid values range from 1 to 24 hours.
    Additional Lifetime Before Pruning Open Requests

    The number of additional days to keep records of previously synchronized open change requests or change tasks before they are pruned from the database. Open change requests and change tasks are kept longer than other change states to account for label updates that might be needed due to updates in the change window, which can occur if an open change is overdue.

    A higher value for this setting can significantly increase the size of the database, which might affect performance. A lower value reduces the size of the database, but if you exceed this time plus the look back days before adjusting the dates of the change request or change task in ServiceNow, events might be labeled according to rules for multiple change windows.

    Valid values range from 1 to 60 days.

Complete the configuration

After you configure the necessary settings, click Create.

ServiceNow rules are deployed to endpoints on the next synchronization determined by the ServiceNow Sync schedule. If you have enabled Endpoint Configuration, ServiceNow rule deployment must be approved in Endpoint Configuration before ServiceNow rules are deployed to endpoints.

Manage authorized events

ServiceNow change requests or tasks with an Open state

When Integrity Monitor synchronizes data with ServiceNow, it determines authorized change windows from change requests, change tasks, or both (depending on the settings) with a state that you mapped to the Open status during configuration.

Integrity Monitor applies the ServiceNow label to events that fall within these authorized change windows on associated Tanium endpoints.

ServiceNow change requests or tasks with a Closed state

For change requests or change tasks with a ServiceNow state that you have mapped to the Closed status, Integrity Monitor no longer applies the ServiceNow label to associated events.

ServiceNow change requests or tasks with a Canceled state

For change requests or change tasks with a ServiceNow state that you have mapped to the Canceled status, Integrity Monitor removes the ServiceNow label from associated events if it has previously been applied.

Review events

When you view events, you can apply a filter to include only events that do not contain the ServiceNow label. The resulting list of events then includes only those that are not associated with approved changes in ServiceNow Change Management. For more information about viewing events, see Viewing events. For more information about filtering question results, see Tanium Interact User Guide: Filter question results.

You can also ask questions in Interact that include the sensors that use enhanced labeling:

  • Integrity Monitor Labeled File Events Details: This sensor contains the same columns as the Integrity Monitor File Events Details sensor, but it returns only events that have labels applied.

    The results grid for an enhanced monitor uses the Integrity Monitor Filtered File Events Overview and Integrity Monitor Filtered File Events Details sensors, which include a parameter for a filter expression in JSON format. Though you can ask questions in Interact using these sensors, it is a best practice to use the Integrity Monitor Labeled File Events Details sensor in questions.

  • Integrity Monitor Unlabeled File Events Overview: This sensor contains the same columns as the Integrity Monitor File Events Overview sensor, but it returns only events that do not have labels applied.
  • Integrity Monitor Unlabeled File Events Details: This sensor contains the same columns as the Integrity Monitor File Events Details sensor, but it returns only events that do not have labels applied.

When you review events with the ServiceNow label, you can use the change request or change task from the ID of the event to locate the associated change request or change task in ServiceNow Change Management.