Configuring the SaaS Security API Connector for ServiceNow

This article explains how to configure the ServiceNow connector for the SaaS Security API policy for your account and create rules that use this connector in the Data Protection Policy.

The SaaS Security API policy requires a separate Cato license. Please contact your Cato representative or official reseller for more information.

Overview of the ServiceNow Connector

Create the connector for the ServiceNow instance for your organization. Then define rules in the SaaS Security API Data Protection policy that include the ServiceNow connector and define that objects that are scanned and inspected. You can create a single ServiceNow connector for each instance.

Prerequisites

  • The ServiceNow connector requires an admin with the global admin role to give permissions to Cato's SaaS Security API

  • The Application scope is set to global

Required Permissions for the API Connectors for ServiceNow

To enable Cato's SaaS Security API to scan table records and attachments in your ServiceNow account, the connector gives Cato the following permissions and actions with the ServiceNow app:

  • Grant access to the app using OAuth2

  • Receive a token from the app to establish and maintain a secure connection

  • Connect to the ServiceNow APIs and scan data and tables according to the SaaS Security API Data Protection policy

Working with ServiceNow Connectors

This section explains how to set the correct ServiceNow permissions, create API connectors for ServiceNow, and to connect your organization's ServiceNow instance to your Cato account.

Note

Note: Make sure that you don't have ACL, IP ACL, business rules, or data policies that impact the ability of Cato to connect to your ServiceNow instance.

Required ServiceNow Tables and Roles

When the ServiceNow admin creates the Cato connector, the admin account needs to have the correct permissions for the tables and roles. The table below lists the ServiceNow tables and roles that Cato requires permissions to access.

The minimum required permission is the ITIL role, but we recommend that you define the tables with the admin role.

Table

Role

Description

change_phase

ITIL

Access records from the Change Phase table

change_request

ITIL

Access records from the Change Request table

change_request_imac

ITIL

Access records from the Change Request IMAC table

change_task

ITIL

Access records from the Change Task table

incident

ITIL

Access records from the Incident table

incident_task

ITIL

Access records from the Incident Task table

kb_knowledge

ITIL

Access records from the KB Knowledge table

kb_submission

ITIL

Access records from the KB Submission table

problem

ITIL

Access records from the Problem table

problem_task

ITIL

Access records from the Problem Task table

release_phase

ITIL

Access records from the Release Phase table

release_task

ITIL

Access records from the Release Task table

sc_req_item

ITIL

Access records from the Service Catalog Requested Item

sc_request

ITIL

Access records from the Service Catalog Request table

sc_task

ITIL

Access records from the Service Catalog task table

sys_attachment

ITIL

Access records from the Attachments table

sysapproval_group

ITIL

Access records from the Group Approval table

sysevent

ITIL

Access records from the Event table

task

ITIL

Access records from the Task table

ticket

ITIL

Access records from the Ticket table

Setting Permissions for ServiceNow Tables

Set the table permissions in your ServiceNow instance to allow the Cato connector to monitor tables and data.

To set the ServiceNow table permissions:

  1. Log in to the ServiceNow console, and from the navigation menu search for System Definition and select Tables.

  2. Search for the Name of one of the tables, and click the table in the search result.

    This is an example of searching for the problem table.

    ServNow_Table_Search.png
  3. In the table settings, click the Application Access tab and make sure that Allow access to this table via web services is selected.

    Allow_access.png
  4. Click Update.

  5. Repeat steps 2-4 for all the tables listed above in Required ServiceNow Tables and Roles.

Creating the ServiceNow Connector

When you create the ServiceNow connector, copy the base URL for your ServiceNow instance, and paste it in the new Cato connector.

Note

Note: The base URL is the protocol, instance ID, and domain name, without the path. For example, https://sample.service-now.com is the base URL for https://sample.service-now.com/now/nav.ui.classic.params

Then in the ServiceNow console, create a new OAuth application, and paste the Cato Redirect URL. You can also add the Cato logo to the application.

After the new OAuth application is created, copy the ServiceNow Client ID and Client Secret and paste these values in the connector. Finally, save the ServiceNow connector in the Cato Management Application and Cato is now ready to monitor ServiceNow objects and tables.

Note

Note: The Cato connector creates several ServiceNow Business Rules that are used to monitor the tables. Don't delete any Business Rule with the prefix cato. For more information, see ServiceNow documentation.

To create the connector for ServiceNow:

  1. From the navigation pane, select Assets > Integrations and click the Installed SaaS Applications tab.

  2. Click New. The New Connector panel opens.

  3. For step 1, in SaaS Application select ServiceNow.

  4. For step 2, configure these connector settings:

    1. Enter the Connector Name.

      02_baseURL.png
    2. From the ServiceNow console, copy the base URL, and paste it in ServiceNow base URL.

  5. For step 3, configure the new ServiceNow OAuth application:

    step3_oauth.png
    1. Log in to the ServiceNow console.

    2. Navigate to System OAuth > Application Registry, and click New.

      01_SN_oauth_app.png
    3. Click Create an OAuth API endpoint for external clients.

      The new Oauth application opens.

      New_oauth_app.png
    4. Enter the Name for the application.

    5. In the Cato Management Application New Connector panel, click copy.png to copy the Cato redirect URL.

    6. In the ServiceNow application, in Redirect URL, paste the URL.

    7. (Optional) In Logo URL, enter https://www.catonetworks.com/wp-content/uploads/2022/03/cato-logo.svg to show the Cato logo for the application.

      Note: It is not necessary to configure the settings for any of the other fields in the new ServiceNow application.

      ServiceNow_URLs.png
    8. Click Submit. The ServiceNow OAuth application is created.

  6. For step 4, in the Service Now console, click the new OAuth application to open it.

    1. Copy and paste the following OAuth application fields to the Cato connector in the Cato Management Application:

      • Client ID 

      • Client Secret 

  7. In the Cato Management Application , click Save.

    A ServiceNow permissions screen opens in a new browser tab.

  8. Give permissions for your Cato account to access the ServiceNow app.

    1. Click Allow to allow Cato to access the ServiceNow app.

    2. The screen shows that you have successfully applied the permissions for the instance.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application. It can take ServiceNow several seconds to process the request, so if you receive an error, refresh the browser.

      While ServiceNow is processing the request, the Status for the connector is Pending user consent (see below Understanding the Connector Status).

  9. The ServiceNow SaaS application is added to the Installed SaaS Applications page.

    SN_integrations.png

Understanding the Connector Status

The Status column on the Installed SaaS Applications page shows the status of the connection between the ServiceNow app and your Cato account. These are the explanations of the statuses:

  • Connected - Your account is connected to the app and working correctly

  • Connection warning - There is a temporary issue related to polling data from the ServiceNow instance. Please open a ticket with Support.

  • Connection error - Connectivity or permissions issue with the ServiceNow connector. Please open a ticket with Support.

  • Pending user consent - The ServiceNow connector is created in the Connect Settings screen, however you haven't completed the process to authorize Cato to connect to your ServiceNow account.

Adding ServiceNow Rules to the Data Protection Policy

This section explains how to use the Data Protection policy to monitor cases managed by ServiceNow.

Configuring ServiceNow Rules

Use the Data Protection screen to add the SaaS application rules in your Data Protection policy.

Create a Data Protection rule to define the traffic that is scanned by SaaS Security API. Create separate rules for each SaaS app connector, and then define the criteria which determines which traffic is scanned.

You can choose to monitor the content of fields and/or attachments in the ServiceNow instance.

For more information about the ServiceNow rule settings, see below Understanding the ServiceNow Rules.

Slack_Data_Protection_Rule.png

To create a new Data Protection rule for the ServiceNow app connector:

  1. From the navigation pane, select Security > SaaS Security API and select or expand Data Protection.

  2. Click New. The New Rule panel opens.

  3. In the Application Connector section, select the ServiceNow app connector.

  4. In the General section, enter the settings for the rule.

  5. In the Objects section, define the ServiceNow tables that are monitored (default value is Any).

    When you select multiple objects, there is an OR relationship between them.

  6. In Content Profile, select the DLP Content Profile for this rule.

    For more about DLP Content Profiles, see Creating DLP Content Profiles.

  7. (Optional) Define the tracking options for the rules to generate events and email notifications.

    For more information about events and email notifications, see Working with Mailing Lists.

  8. Click Save. The rule is added to the Data Protection policy.

Understanding the ServiceNow Rules

This section explains how to define the settings for the Data Protection rules to scan the ServiceNow attachments or tables. Each rule can be defined according to the following criteria:

  • Objects - Select one or more the following ServiceNow tables that the rule monitors

    • SC task

    • Change phase

    • Change request

    • Change task

    • Release tasks

    • Sysapproval group

    • Change request imac

    • Incident

    • Incident task

    • KB submission

    • KB knowledge

    • Problem

    • Problem task

    • Release phase

    • SC request

    • SC REQ item

    • Task

    • Ticket

  • Content Profile - DLP Content Profile that defines the DLP content inspection

    You can create or edit Content Profiles in Security > DLP Configuration > Content Profile

  • Actions - Select if you want to generate an event or email notification when the rule is matched

Working with Ordered Data Protection Rules

The SaaS Security API engine inspects the data sequentially, and checks to see if it matches a rule. If the data does not match a rule, then it is not inspected. Rules that are at the top of the rulebase have a higher priority and they are applied before the rules lower down in the rulebase. Each type of application or connector is only applied to the data once.

Best Practice - To maximize the efficiency of your rulebase, we recommend that for each connector type, rules for specific users have a higher priority than rules that apply to Any users.

For example, if the data matches a connector in rule #2, the data is inspected by the SaaS Security API engine. The engine does not continue to apply rules #3 and below for the same connector. However, the data could match a lower priority rule with a different connector.

Analyzing SaaS Security API Events

The Monitoring > Events screen shows all the SaaS Security API events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.

SaaS Security API events can be identified by the following fields:

  • Event Type - Security

  • Sub-Type - SaaS Security API Data Protection and SaaS Security API Anti Malware

You can learn more about using the Events page here. You can use the SaaS Security API Data Protection preset to filter the events.

Explaining the SaaS Security API Events Fields

Field Name

Description

Connector Name

Name for the connector that is defined for the rule

Connector Type

SaaS app that is defined for this connector

DLP Profile

DLP Content Profile that generated this event

File Name

Name of the attached file

Full Path URL

Full URL of the file, table record, or attachment that generated this event

Matched Data Types

Data Types in the Content Profile that matched the rule

Object Name

Data for the ServiceNow object that generated the event:

  • For tables, in the format <table name>/<item number>

  • For attachments, shows the name of the relevant table record

Object Type

Table record

Owner

Owner username

Rule

Name of the rule in the Data Protection policy

Severity

Severity defined for the rule

Known Limitations for the ServiceNow Connector

  • Comments and work notes aren't supported

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment