The Netskope Security Operations app allows customers to create security incidents from alerts.
Below are the key features included in this direct integration:
- Security incident creation from all alerts except DLP
- Populating discovered applications in your ServiceNow CMDB application table from your Netskope Tenant
- Pulling User Risk scores from your Netskope Tenant.
- Pulling URL categories list and allowing users to share back hashes and URLs to Netskope.
- Sandbox report request: allows users to scan malicious files and get the report for the same
In addition to the above features, there is a new feature that allows users to map security incidents to any table in their ServiceNow Instance. This feature supports any table, allowing the customer to select the table of their choice. Previously, they could only use the Security Incident table for Incident Creation.
Requirements:
- Netskope Tenant
- ServiceNow Instance
Prerequisites:
- Install the Netskope App for Security Incident Responder - https://store.servicenow.com/store/app/290da3a21b646a50a85b16db234bcb20
- Complete the integration configuration of the app from your ServiceNow Instance > Security Operations > Integration configuration > Select Netskope for Security Operations app and provide the required details.
For full implementation, please refer to the documentation: https://docs.netskope.com/en/servicenow-with-netskope-secops/.
Implementation:
We will focus on a new feature which allows us to select the table of your choice in the integration and start creating incidents from Netskope alerts in the new selected table in ServiceNow.
Data Ingestion Profile Configuration
Search for "Netskope for Security Operation," and under that, you will find the Data Ingestion profile configuration.
Click "New" to create a new Data Ingestion Profile Configuration.
Provide the basic information, which includes the name of the configuration, selecting the source (which will be the integration configuration as requested in the prerequisites). The "Order" field is optional.
In the same basic information section, we have the new feature that allows us to select the alert mapping table. By default, "Security Incident" will be the default, but you can always select a table of your choice or any custom table.
Click "Next," and on alert filtering, you can filter the alerts to fetch only the alerts you want in your ServiceNow environment, or you can select all options to fetch all the alerts.
Field mapping allows users to map the Netskope fields with the particular ServiceNow table mapping. In this case, we will map the Netskope fields with the Incident Table in ServiceNow.
On the next step, we can set the security incident criteria. We do not want all the alerts to be created into Security Incidents, so you can set criteria to filter out based on specific conditions. Additionally, you can set up the assignment to automatically assign to a user group based on certain conditions.
On the last step, you can configure the scheduling. Recurring alert collection is for the regular collection of alerts. Select any future timestamp, and it will automatically start collecting the alerts. One-time alert collection allows us to collect data from the past.
Click "Finish" and also make sure to activate the configuration you just created.
Alerts Ingestion
Go to the alerts section under "Netskope for Security Operation." You will start seeing the alerts and the corresponding Incident ID. If you used the default table during profile configuration, you will find the Incident ID under the "Security Incident" column. If you use other tables (in my case, I used the Incident table), you will find the Incident ID under the "Document ID" column.
Click on the Incident ID to get more details related to the Incident.
