Skip to main content
  • EN
  • Home
  • Learn
  • Blogs
  • Netskope App for ServiceNow: Direct Integration with NextGen SWG

Overview

The Netskope App for ServiceNow provides an end-to-end configuration management integration with capabilities to create ServiceNow Security Incident Response (SIR) data based on Netskope alerts. Administrators can also manage Netskope applications based on ServiceNow Configuration Item (CI) data. URL category and hash list can also be updated back to the configured tenant. Below is a general overview of how an administrator can configure a given set of Netskope NextGen SWG policies and how to best utilize the data shared for URLs from within ServiceNow.

 

In case you missed it, check out our previous article, Netskope App for ServiceNow, which provides a non-technical overview of the latest Netskope App for ServiceNow.

 

7eSaTKNTYeXC4_BfNm1LoMr4-Rh0XlhORAd-xoU1IHyNMgBiOKS2hJly51UOr52QUK7rtr8o3UgZBzFbf9v9zuKZegFvBfsFgCGW51Y51rq6IjRMTqAs-EO_jpneMNSr_Y_SlAhr0FA7b6ZlNZKHDIk

Requirements

  • Netskope Tenant 
  • ServiceNow Instance with Admin access

 

Setup Steps

For the basic setup please refer to the  https://docs.netskope.com/en/netskope-help/integrations-439794/solution-guides/service…]-integration-solution-guide/servicenow-with-netskope-secops/

We will be utilizing the feature of Adding or removing the URLs from the URL category and how further those URLs get reflected after approving the change request in ServiceNow.

 

Basic Setup in Netskope Tenant:

We will be creating a URL List one for the ServiceNowURL Blocklist and another for the ServiceNowURL Allowlist. Additionally we will be also creating the Web Access policy for those categories.

 

URL Category and Policy Creation in Netskope

Create URL Category

  • Go to your Specific tenant.

  • Netskope Tenant > Policies > Profiles > Web > URL LISTS

    ZobPvEyFvPGAK7ivrNdAXryQGkU2h1MUhK1yUUmRRUIrNPuNYJt0qMeXbH0U6KOT95nCNpDpROZBFFfDUdfVI1u1gytVUQg7FmPcmyGKR0O6aMuOEshXZ2Hd9bUYoG1rcYSobEjiG7267FVxPAueuPg

  • Click on New URL List and Create Two List one of ServiceNow Block and other one for Allow. Click on Save and Apply Changes.

cU-0xpLc0qy_WescohHfuM5PP9bAJUIGH5IoPdE7O2uMzjk9c5Md_IaZUWuZQaB4NauM8s3IAvu3ydgyVVU6pEN-eYu-YHIimWHy084Hp6XAAIcX7cZ7o8LyrdzipxgT7vEGMXYFDDd_Yjs-_yK3OJA

 

  • The URL List will look something like below list

8LQeRE1m_WQbbangKr-sucJzWnEQ0a0Db-nEjGLVFFRRVHgUD0TCExQdVBtSWkG6BvqQ10SGPfqoaGHrfB199zPH0foisnumSrZ-6vUwLWEmEyQ4vMiXz-vTjYVdhf7w14AwAOzVoQWVukw2D_muYpU

  • Similarly, the same List we can see under the URL category List in your ServiceNow Vendor Instance

Q-2c8aBq0w7N9HTj7Fqs8-OSzmBaXEYHKUgVFp67TEHN2ntVCRB6XDv7uOHINagr_sghG8QWuUFuVVNzZyxkl0iphlR8CugeY6G8M9hkwBn1HaCgsu5GPxxAgU9AXsVKHgeHMr6ZvJxGyT3bZTCzceY

 

  • Now let’s create the Custom Category list out of the URL List we created in the last step. Go to Policies > Profiles > Web > URL LISTS > Click on New Custom CategoryO7XpV5_cTFV7HODO0kqcnsY9NkKHKnlbS12BQHug6myJScWqflCSfk-RNWxnnw065qyFWH7XC-cenRfYokNrq-FpP07HQ7f3CsNHKz0GphDrd-h84Yca_fr-sgLRmsTUR5dOrNizASaDBN_k3Z_Et18
  • Create one Custom Category for the Allowlist and the other list for the BlockList. Select the URL List which needs to be included in the list. Click on Save

gbvR5QuHAFSafwb9fVKZ8Uqb5q0g2OVsDVxVo9rPaiqtBIz5UxIeJuytv7xJjE5k0NbfCQSOVh-4r5wNAhgljyE1atMRE5_Aa2HBXAHGyo8B7WB92TK0vRsfKECJOj6J_lLyqVXqx-bkAVwZz1B_gVw

Create Netskope Web Access Policy

Go to your Netskope Tenant > Policies > Real-time Protection  > Click on New Policy > Select Web Access

 

YsAh5BugZ_UZ-78lLgawbt48-FOCbcSbIUYn27JqsFrWDzhiiAKSI49SFGf7l1jQjgEL_zdR1Wg5FaJ85Dg-X01Aj1a0DWNRquYJ3BznpnfuyZWj2AEd5KMi5_2NonVN1J0vVnBh4wAsDvcL5NzowwU

 

  • Select the Source User, group or organization Unit. Select the Custom Category you created in the last step. Activities Select All or you can select according to your organization. Select the profile action for now I will set it to Block for Block List and Allow for Allowlist. Name the particular policy and click on save.

UunbdW7AH8AHufe34vX8XLZU6Yif2asnLBPHdC9uGA7Bk9pDRlM_yzDXrN9xytnd-gM02iPNG0BFspmCYD_bIhCBupNfp8zIbjvuridEw-isZQXvDvwdDsDnD57aJpPEzU9dr0OEmCvUqWnwi7zMyg0

 

 

Netskope App for ServiceNow

As the expectation would be, we have already configured the app. Now we will be seeing how we can add/remove the ServiceNow Observables like URLs back to the particular Netskope URL category list. For this we need to make sure we have the Netskope ServiceNow direct Integration app already configured.

 

ServiceNow App Configuration Check

Go to your Already configured Netskope for Security Operations App > Schedule Jobs. Make sure your Fetch Category List and Fetch URL List Jobs are active. Please log in as Admin to see the other options.

ciX6mt_-NoCuaAusDdEUDm_Ga0X_kmN30rUj5wipkEYVT8cQ8E6kno_X-6dnfPIfEJnw_eyGawvIuJqWeY-IEeJpYygLSpaOtQUB1b_tjI5Wj_w7FhJ_zJ4wVyxHMs3SmyC7DUGTwOmEleL-WdWrDH8

 

 

ServiceNow Observable Table

Now we will be moving the URLs to Allowlist or Blocklist from ServiceNow. For that we will be going to the Observable table where all the Hashes, URLs and IPs are present. 

Search for the Observables on the ServiceNow Instance.

ysT3mOdebTyApOYCm1PYpbr43Aw7v2DsYxD5xiCCXj2VDb0BHH0mGTWVGZrXhJGIrj9tkxk-Az5SSPibqeRdXsFM4goIyIh2V7sd9ZphhWAfy-YtDBJZUhwCQOl0AdVIQDy-zF4Bql68F8dgfnC23yU

 

  • You will see the observable data something like the below table with your own data populated.

 

MgAeRu4QmrsHAVSioeRWToCtxdaZfhfI6LBsrw2TfECA_tZ3Arsc_JX6iq2fMLCqNbxZ8NrZcvQ-lhBHYbOeoE6yB34gMMV_6POO2T4ad7HdQupMKx_zZBE4B3p2YqsShec5aKFvHJwIvU8AvO9UJdI

 

  • Select any one of the domains and Click on Actions on selected rows. You can take the action on multiple Observables in one go. Click on Add/Remove URL Category.

NoXZIxn8srUpx4gsXWDhUGImCY9y4o8DJm0GodmEx1IH4xWkoCESLlWbSinm5qCaUvu5P-4kH-ekkvvHNZPyoN_HTwcsLV6v-LoQTBFBRlO-edixYzkpx_6F731ug4GIi-xYyCe--qcXocn5uhai5pY

 

  • Select the Netskope Profile Configuration which will be the initial profile configuration you did during the App configuration. Select the Approvers as the change request is going to be created who are basically going to Approve add/remove of URL to a particular list. Select the particular URL List in which the URL would be added.

-1PgvF07LM0EOG24-LX3hLZ0VN7cdgfluetUPoSuAGVQ3muABeOCX85vKjWSYriTkiXp5a7Cgq7wFqUhT07Z2bLDfeLo6iOY8tRzx9vv1nlJ0j_x7fV_954jAMnA1yrRY6meNl-BXKhfSJt0lCZ7W4U

 

  • After Clicking on Submit a change request would be created.

 

7vUggyJHDHvi8kjdKj2xJOMtvNdZdjcao6lzvIPKRnUsZlO-b07N82vtufIQRC3IR_GEx4c1Om39_MYYKJwC3UknMP39_6d6G2Z5VTRoNDS5lnBuNQUdyzpMFv4W74yzpjBJj_UiPPqbwJxlsCUxKAA

 

  • Click on Request Approval on the particular change request created for the Add/Remove of URL.

WFSZGX1aloujF-MD2Crai8oKpBOtn7L23Doz4R0zCROvB5ahKTBlCOqPs48P84Iiz605OqnG9zq-nexeH-N3eTzsPjPtC-eGPQD5FH9Q-vdZKFSjVwDlb6rEFwXdT8PconD789oqf2qViWCmmW2NIYc

 

  • Currently the URLList is in the Approval process. To verify we can check the current state of the specific URL List

wkE51LWJ9jhSEoWTRz-BjOr2flOFwRD6xxAVoaFi0rDRQcCXZUblRulGI-YSJRudc8Tjm-WWnQVU9u6XZCGKeK1V-21l3SIr13GdLy4NaLzKrKDI6h9CQS3gzrz2abxvGJXHQ3T4OYS3vY6NNkHGFnc06qIeJwZUaLJJynYHOUurdBM8vTi1uDBAiA01jx_4OGOdtcn5IUsewhClA9MxKAFjMsg8Lm17Yn0M9atZq0BJamMwj3Fq7SJj3xqQwWXfPPoemCOS7MXunixdSJaO2a5aTkHI8KjMtfYm-hig8kppL8

 

  • After the Change Request has been approved

lGHbploTgtVETLFsBWcKxMtvIw93UMcFdCAbKE85_Rlsj3eXWUHCzYKzTPR3PRsAj7zVXWoHpZDim3IgI_3QC4fFYFLefZrSb_4nAMa660q7sw1dXFd8eSbJEOUpWFtL_16zfdUsrqmKGcVaC5Q_-Rg

 

  • We can find the URL being added to the BlockList in ServiceNow URL Category List and Similarly in the Netskope.

 

JPmxndCASAz7n4iFW7YPg6vQZVeeqzeeboFqLfCWUJg5f1Mzci7QuBwHzySWosuOJF-2tyxyBJijiGGSsa_qnxY0Z3Q-vxD_-fg0sx7R-uhnUHHfRExgrlwkLs6pM4JQmbDYLXwzMz6ooC6rfXNitFo

60aTxqawiEKXKny7bbBG5BA-LxqmpQT-RI7evmtzQG7DPbAJSYGzPOC-Ul_DJ7gOG0JoKcVxjA_1N6LDhd2E3C9er3il-Ipz18qus8cOk-UFD2qJvS19SR-s4oEFt9jAQdq9Fn5DxTlClib2BGzF5Lo

 

Verify Action

Now to verify the action visit the same website. Also please make sure your client is enabled to detect the action.

 

Z26tgmAuJ35vTJmTBuonEVXjKdB8Kfd7j2zE5wKX0aJzODlgOs9LHwwrFOwcFPHJHkki2140uP0kEPF3HGygTUiKoWBXIMNPKZ4ajGF3Q2tsOdlGIO0osOcDkQMoDS_bhyK6V-3CFbA3IewoZD_nDqE

 

Similarly we can find the details for the same in Skope IT > Events & Alerts > Alerts

K8ugQkCqor3SnebCD8s46m9RDqucWXK1y5t1G-KR1mIkUbUvuFZRYDbUVY85tATB8krLqYRGN4E8FlVrXJG3AvqlSjkfBK33-mIlDY71b-YqwuOZWvc59FH_T9zKHsbq6oICtCyz0DXc4hvOhD9M-lY

 

Be the first to reply!

Reply


Terms & ConditionsCookie settings