Overview
The Netskope App for ServiceNow provides an end-to-end configuration management integration with capabilities to create ServiceNow Security Incident Response (SIR) data based on Netskope alerts. Administrators can also manage Netskope applications based on ServiceNow Configuration Item (CI) data. URL category and hash list can also be updated back to the configured tenant. Below is a general overview of how an administrator can configure a given set of Netskope NextGen SWG policies and how to best utilize the data shared for URLs from within ServiceNow.
In case you missed it, check out our previous article, Netskope App for ServiceNow, which provides a non-technical overview of the latest Netskope App for ServiceNow.
Requirements
- Netskope Tenant
- ServiceNow Instance with Admin access
Setup Steps
For the basic setup please refer to the https://docs.netskope.com/en/netskope-help/integrations-439794/solution-guides/servic[…]-integration-solution-guide/servicenow-with-netskope-secops/
We will be utilizing the feature of Adding or removing the URLs from the URL category and how further those URLs get reflected after approving the change request in ServiceNow.
Basic Setup in Netskope Tenant:
We will be creating a URL List one for the ServiceNowURL Blocklist and another for the ServiceNowURL Allowlist. Additionally we will be also creating the Web Access policy for those categories.
URL Category and Policy Creation in Netskope
Create URL Category
- Go to your Specific tenant.
-
Netskope Tenant > Policies > Profiles > Web > URL LISTS
- Click on New URL List and Create Two List one of ServiceNow Block and other one for Allow. Click on Save and Apply Changes.
- The URL List will look something like below list
- Similarly, the same List we can see under the URL category List in your ServiceNow Vendor Instance
- Now let’s create the Custom Category list out of the URL List we created in the last step. Go to Policies > Profiles > Web > URL LISTS > Click on New Custom Category
- Create one Custom Category for the Allowlist and the other list for the BlockList. Select the URL List which needs to be included in the list. Click on Save
Create Netskope Web Access Policy
Go to your Netskope Tenant > Policies > Real-time Protection > Click on New Policy > Select Web Access
- Select the Source User, group or organization Unit. Select the Custom Category you created in the last step. Activities Select All or you can select according to your organization. Select the profile action for now I will set it to Block for Block List and Allow for Allowlist. Name the particular policy and click on save.
Netskope App for ServiceNow
As the expectation would be, we have already configured the app. Now we will be seeing how we can add/remove the ServiceNow Observables like URLs back to the particular Netskope URL category list. For this we need to make sure we have the Netskope ServiceNow direct Integration app already configured.
ServiceNow App Configuration Check
Go to your Already configured Netskope for Security Operations App > Schedule Jobs. Make sure your Fetch Category List and Fetch URL List Jobs are active. Please log in as Admin to see the other options.
ServiceNow Observable Table
Now we will be moving the URLs to Allowlist or Blocklist from ServiceNow. For that we will be going to the Observable table where all the Hashes, URLs and IPs are present.
Search for the Observables on the ServiceNow Instance.
- You will see the observable data something like the below table with your own data populated.
- Select any one of the domains and Click on Actions on selected rows. You can take the action on multiple Observables in one go. Click on Add/Remove URL Category.
- Select the Netskope Profile Configuration which will be the initial profile configuration you did during the App configuration. Select the Approvers as the change request is going to be created who are basically going to Approve add/remove of URL to a particular list. Select the particular URL List in which the URL would be added.
- After Clicking on Submit a change request would be created.
- Click on Request Approval on the particular change request created for the Add/Remove of URL.
- Currently the URLList is in the Approval process. To verify we can check the current state of the specific URL List
- After the Change Request has been approved
- We can find the URL being added to the BlockList in ServiceNow URL Category List and Similarly in the Netskope.
Verify Action
Now to verify the action visit the same website. Also please make sure your client is enabled to detect the action.
Similarly we can find the details for the same in Skope IT > Events & Alerts > Alerts
