Configuring the SaaS Security API Connector for ServiceNow

This article explains how to configure the ServiceNow connector for the SaaS Security API policy for your account and create rules that use this connector in the Threat Protection and Data Protection Policy.

The SaaS Security API policy requires a separate Cato license. Please contact your Cato representative or official reseller for more information.

Overview of the ServiceNow Connector

Create the connector for the ServiceNow instance for your organization. Then define rules in the SaaS Security API Threat Protection and Data Protection policies that include the ServiceNow connector and define the objects that are scanned and inspected. You can create a single ServiceNow connector for each instance.

Prerequisites

  • The ServiceNow connector requires an admin with the global admin role to give permissions to Cato's SaaS Security API

  • The Application scope is set to global

Required Permissions for the API Connectors for ServiceNow

To enable Cato's SaaS Security API to scan table records and attachments in your ServiceNow account, the connector gives Cato the following permissions and actions with the ServiceNow app:

  • Grant access to the app using OAuth2

  • Receive a token from the app to establish and maintain a secure connection

  • Connect to the ServiceNow APIs and scan data and tables according to the SaaS Security API Data Protection policy

Working with ServiceNow Connectors

This section explains how to set the correct ServiceNow permissions, create API connectors for ServiceNow, and to connect your organization's ServiceNow instance to your Cato account.

Note

Note: Make sure that you don't have ACL, IP ACL, business rules, or data policies that impact the ability of Cato to connect to your ServiceNow instance.

Required ServiceNow Tables and Roles

When the ServiceNow admin creates the Cato connector, the admin account needs to have the correct permissions for the tables and roles. The table below lists the ServiceNow tables that Cato requires permissions to access.

The minimum required permission is the ITIL role, but we recommend that you define the tables with the admin role.

change_phase

sn_hr_core_beneficiary

sn_hr_core_op_report_type

change_request

sn_hr_core_benefit

sn_hr_core_op_system

change_request_imac

sn_hr_core_benefit_provider

sn_hr_core_op_system_to_report_type

change_task

sn_hr_core_benefit_type

sn_hr_core_profile_bank_account

cmdb

sn_hr_core_bonus

sn_hr_core_retirement_benefit

incident

sn_hr_core_case

sn_hr_core_task

incident_task

sn_hr_core_case_operations

sn_hr_core_tuition_reimbursement

kb_knowledge

sn_hr_core_case_payroll

sn_si_incident

kb_submission

sn_hr_core_case_relations

sn_si_request

problem

sn_hr_core_case_talent_management

sn_si_task

problem_task

sn_hr_core_case_total_rewards

sys_attachment

release_phase

sn_hr_core_case_workforce_admin

sysapproval_group

release_task

sn_hr_core_direct_deposit

sysevent

sc_req_item

sn_hr_core_op_report

task

sc_request

sn_hr_core_op_report_frequency

ticket

sc_task

   

Setting Permissions for ServiceNow Tables

Set the table permissions in your ServiceNow instance to allow the Cato connector to monitor tables and data.

To set the ServiceNow table permissions:

  1. Log in to the ServiceNow console, and from the navigation menu search for System Definition and select Tables.

  2. Search for the Name of one of the tables, and click the table in the search result.

    This is an example of searching for the problem table.

    ServNow_Table_Search.png
  3. In the table settings, click the Application Access tab and make sure that Allow access to this table via web services is selected.

    Allow_access.png
  4. Click Update.

  5. Repeat steps 2-4 for all the tables listed above in Required ServiceNow Tables and Roles.

Creating the ServiceNow Connector

When you create the ServiceNow connector, copy the base URL for your ServiceNow instance, and paste it in the new Cato connector.

Note

Note: The base URL is the protocol, instance ID, and domain name, without the path. For example, https://sample.service-now.com is the base URL for https://sample.service-now.com/now/nav.ui.classic.params

Then in the ServiceNow console, create a new OAuth application, and paste the Cato Redirect URL. You can also add the Cato logo to the application.

The Refresh Token Lifespan defines the length of time the SaaS Security API connector has permission to scan ServiceNow data. For maximum security, we recommend you update this value from the default 8,640,000 seconds (100 days), to 31,536,000 seconds (1 year). This ensures the SaaS Security API connector has continued access to ServiceNow data. Within 14 days of the expiration of the Refresh Token Lifespan a warning is displayed in the Cato Management Application, on the Assets > Integrations page. To ensure the SaaS Security API connector has continued access to the ServiceNow data, provide re-consent.

After the new OAuth application is created, copy the ServiceNow Client ID and Client Secret and paste these values in the connector. Finally, save the ServiceNow connector in the Cato Management Application and Cato is now ready to monitor ServiceNow objects and tables.

Note

Note: The Cato connector creates several ServiceNow Business Rules that are used to monitor the tables. Don't delete any Business Rule with the prefix cato. For more information, see ServiceNow documentation.

To create the connector for ServiceNow:

  1. From the navigation pane, select Assets > Integrations and click the Installed SaaS Applications tab.

  2. Click New. The New Connector panel opens.

  3. For step 1, in SaaS Application select ServiceNow.

  4. For step 2, configure these connector settings:

    1. Enter the Connector Name.

      02_baseURL.png
    2. From the ServiceNow console, copy the base URL, and paste it in ServiceNow base URL.

  5. For step 3, configure the new ServiceNow OAuth application:

    step3_oauth.png
    1. Log in to the ServiceNow console.

    2. Navigate to System OAuth > Application Registry, and click New.

      01_SN_oauth_app.png
    3. Click Create an OAuth API endpoint for external clients.

      The new Oauth application opens.

      New_oauth_app.png
    4. Enter the Name for the application.

    5. Make sure that the Public Client option is cleared.

    6. In the Cato Management Application New Connector panel, click copy.png to copy the Cato redirect URL.

    7. In the ServiceNow application, in Redirect URL, paste the URL.

    8. (Optional) In Logo URL, enter https://www.catonetworks.com/wp-content/uploads/2022/03/cato-logo.svg to show the Cato logo for the application.

      Note: It is not necessary to configure the settings for any of the other fields in the new ServiceNow application.

      ServiceNow_URLs.png
    9. (Recommended) Update the Refresh Token Lifespan to 31,536,000 seconds.

    10. Click Submit. The ServiceNow OAuth application is created.

  6. For step 4, in the Service Now console, click the new OAuth application to open it.

    1. Copy and paste the following OAuth application fields to the Cato connector in the Cato Management Application:

      • Client ID

      • Client Secret

  7. In the Cato Management Application, click Save.

    A ServiceNow permissions screen opens in a new browser tab.

  8. Give permissions for your Cato account to access the ServiceNow app.

    1. Click Allow to allow Cato to access the ServiceNow app.

    2. The screen shows that you have successfully applied the permissions for the instance.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application. It can take ServiceNow several seconds to process the request, so if you receive an error, refresh the browser.

      While ServiceNow is processing the request, the Status for the connector is Pending user consent (see below Understanding the Connector Status).

  9. The ServiceNow SaaS application is added to the Installed SaaS Applications page.

    SN_integrations.png
Providing Re-Consent to the SaaS Security API Connector

You need to proactively provide re-consent for the SaaS Security API connector to access ServiceNow data before the token expires. If the token expires without providing re-consent, the SaaS Security API connector does not have access to ServiceNow data until you provide re-consent in the Cato Management Application.

SN1.png

To provide re-consent to the SaaS Security API connector:

  1. From the navigation pane, select Assets > Integrations and select the Installed SaaS Applications tab.

  2. Click the three dots next to the ServiceNow connector.

  3. Click Reconsent.

Understanding the Connector Status

The Status column on the Installed SaaS Applications page shows the status of the connection between the ServiceNow app and your Cato account. These are the explanations of the statuses:

  • Connected - Your account is connected to the app and working correctly

  • Connection warning - There is a temporary issue related to polling data from the ServiceNow instance. This could be because the Refresh Token is expiring in 14 days or less. To resolve this issue, provide re-consent for the SaaS Security API connector to access ServiceNow data. If this does not solve the issue, please open a ticket with Support.

  • Connection error - Connectivity or permissions issue with the ServiceNow connector. Please open a ticket with Support.

  • Pending user consent - The ServiceNow connector is created in the Connect Settings screen, however, you haven't completed the process to authorize Cato to connect to your ServiceNow account.

Adding ServiceNow Rules to the Data Protection Policy

This section explains how to use the Data Protection policy to monitor cases managed by ServiceNow.

Configuring ServiceNow Rules

Use the Data Protection page to add the SaaS application rules in your Data Protection policy.

Create a Data Protection rule to define the traffic that is scanned by SaaS Security API. Create separate rules for each SaaS app connector, and then define the criteria which determines which traffic is scanned.

You can choose to monitor the content of fields and/or attachments in the ServiceNow instance.

For more information about the ServiceNow rule settings, see below Understanding the ServiceNow Rules.

Slack_Data_Protection_Rule.png

To create a new Data Protection rule for the ServiceNow app connector:

  1. From the navigation pane, select Security > SaaS Security API and select or expand Data Protection.

  2. Click New. The New Rule panel opens.

  3. In the Application Connector section, select the ServiceNow app connector.

  4. In the General section, enter the settings for the rule.

  5. In the Objects section, define the ServiceNow tables that are monitored (default value is Any).

    When you select multiple objects, there is an OR relationship between them.

  6. In Content Profile, select the DLP Content Profile for this rule.

    For more about DLP Content Profiles, see Creating DLP Content Profiles.

  7. (Optional) Configure tracking options to generate Events and Send Notifications.

    For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  8. Click Save. The rule is added to the Data Protection policy.

Understanding the ServiceNow Rules

This section explains how to define the settings for the Data Protection rules to scan the ServiceNow attachments or tables. Each rule can be defined according to the following criteria:

  • Objects - Select one or more of the following ServiceNow tables that the rule monitors

    • SC task

    • Change phase

    • Change request

    • Change task

    • Release tasks

    • Sysapproval group

    • Change request imac

    • Incident

    • Incident task

    • KB submission

    • KB knowledge

    • Problem

    • Problem task

    • Release phase

    • SC request

    • SC REQ item

    • Task

    • Ticket

  • Content Profile - DLP Content Profile that defines the DLP content inspection

    You can create or edit Content Profiles in Security > DLP Configuration > Content Profile

  • Actions - Select if you want to generate an event or send a notification when the rule is matched

Working with Ordered Data Protection Rules

The SaaS Security API engine inspects the data sequentially, and checks to see if it matches a rule. If the data does not match a rule, then it is not inspected. Rules that are at the top of the rulebase have a higher priority and they are applied before the rules lower down in the rulebase. Each type of application or connector is only applied to the data once.

Best Practice - To maximize the efficiency of your rulebase, we recommend that for each connector type, rules for specific users have a higher priority than rules that apply to Any users.

For example, if the data matches a connector in rule #2, the data is inspected by the SaaS Security API engine. The engine does not continue to apply rules #3 and below for the same connector. However, the data could match a lower priority rule with a different connector.

Adding Threat Protection to the Connector

You can create Threat Protection rules for the connector to scan files and attachment for malware and viruses using the Anti-Malware and Next Gen Anti-Malware engines that are enabled for your account. The SaaS Security API engine scans the connector traffic and applies the action and tracking options that you configure for the rule:

  • Monitor the traffic (block will be supported soon)

  • Generate events

  • Send email notifications

When you create a SaaS Security API Threat Protection rule, the Anti-Malware engines that are enabled for your account (Security > Anti-Malware) perform malware scans on the files that are sent for that connector application.

The following screenshot shows a Threat Protection rule for the OneDrive connector that scans files sent by Internal users or Guests:

CAS_Threat_Protection.png

Creating an Exception for a File

Sometimes there is file blocked by Cato's SaaS Security API engines that you know is safe, and you need to allow it in the network. The Events page lets you use the file hash to create exceptions that bypass the Threat Protection scans. After you open an event for the specific file that was blocked, click the file hash to open the Exception Configuration panel and add the file as an exception for the account. You can choose the time duration for the file exception, or configure the exception to last forever.

File Exceptions for Anti-Malware and SaaS Security API

File exceptions apply across the Anti-Malware and SaaS Security API Threat Protection policies. When you create exceptions from Anti-Malware and NG Anti-Malware events, these exceptions also apply to the SaaS Security API Threat Protection policy. Similarly, when you create file exceptions from SaaS Security API Anti-Malware events, the exceptions also apply to the Anti-Malware policy. The full file exception list is shown on both the Anti-Malware page and the SaaS Security API Threat Protection page.

To create an exception for a file:

  1. From the navigation menu, select Monitoring > Events.

  2. Filter for the event using the Sub-Type of SaaS Security API Anti Malware.

  3. From the Time column, expand the event.

  4. In the event, click the File Hash link.

    The Exception Configuration panel opens.

    exception_configuration.png
  5. From the Duration drop-down menu, select how long the file is excluded from the Anti-Malware and NG Anti-Malware engines.

    To create a permanent exception, select Forever.

  6. Click Apply.

    The exception is created and added to the File Exceptions section in the Threat Protection tab, and in the Anti-Malware page.

    AM_FileExceptions.png

Removing a File Exception

Remove an exception for the Threat Protection policy when it is no longer necessary.

To remove file exceptions for the Threat Protection policy:

  1. From the navigation menu, click Security > SaaS Security API.

  2. Select the Threat Protection tab.

  3. In the File Exceptions section, click Delete.png for the exception you want to remove.

  4. Click Save.

    The exception is removed.

Analyzing SaaS Security API Events

The Monitoring > Events screen shows all the SaaS Security API events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.

SaaS Security API events can be identified by the following fields:

  • Event Type - Security

  • Sub-Type - SaaS Security API Data Protection and SaaS Security API Anti Malware

You can learn more about using the Events screen here. You can use the SaaS Security API Data Protection preset to filter the events.

Explaining the SaaS Security API Events Fields

Field Name

Description

Connector Name

Name for the connector that is defined for the rule

Connector Type

SaaS app that is defined for this connector

DLP Profile

DLP Content Profile that generated this event

File Name

Name of the attached file

Full Path URL

Full URL of the file, table record, or attachment that generated this event

Matched Data Types

Data Types in the Content Profile that matched the rule

Object Name

Data for the ServiceNow object that generated the event:

  • For tables, in the format <table name>/<item number>

  • For attachments, shows the name of the relevant table record

Object Type

Table record

Owner

Owner username

Rule

Name of the rule in the Data Protection policy

Severity

Severity defined for the rule

Known Limitations - Supported ServiceNow Tables

This section lists which ServiceNow tables are currently supported for the connector. Unsupported tables aren't monitored for sensitive data.

  • Comments and work notes aren't supported

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment