This article explains how to configure the ServiceNow connector for the SaaS Security API policy for your account and create rules that use this connector in the Threat Protection and Data Protection Policy.
The SaaS Security API policy requires a separate Cato license. Please contact your Cato representative or official reseller for more information.
Create the connector for the ServiceNow instance for your organization. Then define rules in the SaaS Security API Threat Protection and Data Protection policies that include the ServiceNow connector and define the objects that are scanned and inspected. You can create a single ServiceNow connector for each instance.
-
The ServiceNow connector requires an admin with the global admin role to give permissions to Cato's SaaS Security API
-
The Application scope is set to global
To enable Cato's SaaS Security API to scan table records and attachments in your ServiceNow account, the connector gives Cato the following permissions and actions with the ServiceNow app:
-
Grant access to the app using OAuth2
-
Receive a token from the app to establish and maintain a secure connection
-
Connect to the ServiceNow APIs and scan data and tables according to the SaaS Security API Data Protection policy
This section explains how to set the correct ServiceNow permissions, create API connectors for ServiceNow, and to connect your organization's ServiceNow instance to your Cato account.
Note
Note: Make sure that you don't have ACL, IP ACL, business rules, or data policies that impact the ability of Cato to connect to your ServiceNow instance.
When the ServiceNow admin creates the Cato connector, the admin account needs to have the correct permissions for the tables and roles. The table below lists the ServiceNow tables that Cato requires permissions to access.
The minimum required permission is the ITIL role, but we recommend that you define the tables with the admin role.
change_phase |
sn_hr_core_beneficiary |
sn_hr_core_op_report_type |
change_request |
sn_hr_core_benefit |
sn_hr_core_op_system |
change_request_imac |
sn_hr_core_benefit_provider |
sn_hr_core_op_system_to_report_type |
change_task |
sn_hr_core_benefit_type |
sn_hr_core_profile_bank_account |
cmdb |
sn_hr_core_bonus |
sn_hr_core_retirement_benefit |
incident |
sn_hr_core_case |
sn_hr_core_task |
incident_task |
sn_hr_core_case_operations |
sn_hr_core_tuition_reimbursement |
kb_knowledge |
sn_hr_core_case_payroll |
sn_si_incident |
kb_submission |
sn_hr_core_case_relations |
sn_si_request |
problem |
sn_hr_core_case_talent_management |
sn_si_task |
problem_task |
sn_hr_core_case_total_rewards |
sys_attachment |
release_phase |
sn_hr_core_case_workforce_admin |
sysapproval_group |
release_task |
sn_hr_core_direct_deposit |
sysevent |
sc_req_item |
sn_hr_core_op_report |
task |
sc_request |
sn_hr_core_op_report_frequency |
ticket |
sc_task |
Set the table permissions in your ServiceNow instance to allow the Cato connector to monitor tables and data.
To set the ServiceNow table permissions:
-
Log in to the ServiceNow console, and from the navigation menu search for System Definition and select Tables.
-
Search for the Name of one of the tables, and click the table in the search result.
This is an example of searching for the problem table.
-
In the table settings, click the Application Access tab and make sure that Allow access to this table via web services is selected.
-
Click Update.
-
Repeat steps 2-4 for all the tables listed above in Required ServiceNow Tables and Roles.
When you create the ServiceNow connector, copy the base URL for your ServiceNow instance, and paste it in the new Cato connector.
Note
Note: The base URL is the protocol, instance ID, and domain name, without the path. For example, https://sample.service-now.com
is the base URL for https://sample.service-now.com/now/nav.ui.classic.params
Then in the ServiceNow console, create a new OAuth application, and paste the Cato Redirect URL. You can also add the Cato logo to the application.
The Refresh Token Lifespan defines the length of time the SaaS Security API connector has permission to scan ServiceNow data. For maximum security, we recommend you update this value from the default 8,640,000 seconds (100 days), to 31,536,000 seconds (1 year). This ensures the SaaS Security API connector has continued access to ServiceNow data. Within 14 days of the expiration of the Refresh Token Lifespan a warning is displayed in the Cato Management Application, on the Assets > Integrations page. To ensure the SaaS Security API connector has continued access to the ServiceNow data, provide re-consent.
After the new OAuth application is created, copy the ServiceNow Client ID and Client Secret and paste these values in the connector. Finally, save the ServiceNow connector in the Cato Management Application and Cato is now ready to monitor ServiceNow objects and tables.
Note
Note: The Cato connector creates several ServiceNow Business Rules that are used to monitor the tables. Don't delete any Business Rule with the prefix cato. For more information, see ServiceNow documentation.
To create the connector for ServiceNow:
-
From the navigation pane, select Assets > Integrations and click the Installed SaaS Applications tab.
-
Click New. The New Connector panel opens.
-
For step 1, in SaaS Application select ServiceNow.
-
For step 2, configure these connector settings:
-
Enter the Connector Name.
-
From the ServiceNow console, copy the base URL, and paste it in ServiceNow base URL.
-
-
For step 3, configure the new ServiceNow OAuth application:
-
Log in to the ServiceNow console.
-
Navigate to System OAuth > Application Registry, and click New.
-
Click Create an OAuth API endpoint for external clients.
The new Oauth application opens.
-
Enter the Name for the application.
-
Make sure that the Public Client option is cleared.
-
In the Cato Management Application New Connector panel, click to copy the Cato redirect URL.
-
In the ServiceNow application, in Redirect URL, paste the URL.
-
(Optional) In Logo URL, enter
https://www.catonetworks.com/wp-content/uploads/2022/03/cato-logo.svg
to show the Cato logo for the application.Note: It is not necessary to configure the settings for any of the other fields in the new ServiceNow application.
-
(Recommended) Update the Refresh Token Lifespan to 31,536,000 seconds.
-
Click Submit. The ServiceNow OAuth application is created.
-
-
For step 4, in the Service Now console, click the new OAuth application to open it.
-
Copy and paste the following OAuth application fields to the Cato connector in the Cato Management Application:
-
Client ID
-
Client Secret
-
-
-
In the Cato Management Application, click Save.
A ServiceNow permissions screen opens in a new browser tab.
-
Give permissions for your Cato account to access the ServiceNow app.
-
Click Allow to allow Cato to access the ServiceNow app.
-
The screen shows that you have successfully applied the permissions for the instance.
You can close the browser tab and return to the Cato Management Application. It can take ServiceNow several seconds to process the request, so if you receive an error, refresh the browser.
While ServiceNow is processing the request, the Status for the connector is Pending user consent (see below Understanding the Connector Status).
-
-
The ServiceNow SaaS application is added to the Installed SaaS Applications page.
You need to proactively provide re-consent for the SaaS Security API connector to access ServiceNow data before the token expires. If the token expires without providing re-consent, the SaaS Security API connector does not have access to ServiceNow data until you provide re-consent in the Cato Management Application.
The Status column on the Installed SaaS Applications page shows the status of the connection between the ServiceNow app and your Cato account. These are the explanations of the statuses:
-
Connected - Your account is connected to the app and working correctly
-
Connection warning - There is a temporary issue related to polling data from the ServiceNow instance. This could be because the Refresh Token is expiring in 14 days or less. To resolve this issue, provide re-consent for the SaaS Security API connector to access ServiceNow data. If this does not solve the issue, please open a ticket with Support.
-
Connection error - Connectivity or permissions issue with the ServiceNow connector. Please open a ticket with Support.
-
Pending user consent - The ServiceNow connector is created in the Connect Settings screen, however, you haven't completed the process to authorize Cato to connect to your ServiceNow account.
This section explains how to use the Data Protection policy to monitor cases managed by ServiceNow.
Use the Data Protection page to add the SaaS application rules in your Data Protection policy.
Create a Data Protection rule to define the traffic that is scanned by SaaS Security API. Create separate rules for each SaaS app connector, and then define the criteria which determines which traffic is scanned.
You can choose to monitor the content of fields and/or attachments in the ServiceNow instance.
For more information about the ServiceNow rule settings, see below Understanding the ServiceNow Rules.
To create a new Data Protection rule for the ServiceNow app connector:
-
From the navigation pane, select Security > SaaS Security API and select or expand Data Protection.
-
Click New. The New Rule panel opens.
-
In the Application Connector section, select the ServiceNow app connector.
-
In the General section, enter the settings for the rule.
-
In the Objects section, define the ServiceNow tables that are monitored (default value is Any).
When you select multiple objects, there is an OR relationship between them.
-
In Content Profile, select the DLP Content Profile for this rule.
For more about DLP Content Profiles, see Creating DLP Content Profiles.
-
(Optional) Configure tracking options to generate Events and Send Notifications.
For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.
-
Click Save. The rule is added to the Data Protection policy.
This section explains how to define the settings for the Data Protection rules to scan the ServiceNow attachments or tables. Each rule can be defined according to the following criteria:
-
Objects - Select one or more of the following ServiceNow tables that the rule monitors
-
SC task
-
Change phase
-
Change request
-
Change task
-
Release tasks
-
Sysapproval group
-
Change request imac
-
Incident
-
Incident task
-
KB submission
-
KB knowledge
-
Problem
-
Problem task
-
Release phase
-
SC request
-
SC REQ item
-
Task
-
Ticket
-
-
Content Profile - DLP Content Profile that defines the DLP content inspection
You can create or edit Content Profiles in Security > DLP Configuration > Content Profile
-
Actions - Select if you want to generate an event or send a notification when the rule is matched
The SaaS Security API engine inspects the data sequentially, and checks to see if it matches a rule. If the data does not match a rule, then it is not inspected. Rules that are at the top of the rulebase have a higher priority and they are applied before the rules lower down in the rulebase. Each type of application or connector is only applied to the data once.
Best Practice - To maximize the efficiency of your rulebase, we recommend that for each connector type, rules for specific users have a higher priority than rules that apply to Any users.
For example, if the data matches a connector in rule #2, the data is inspected by the SaaS Security API engine. The engine does not continue to apply rules #3 and below for the same connector. However, the data could match a lower priority rule with a different connector.
You can create Threat Protection rules for the connector to scan files and attachment for malware and viruses using the Anti-Malware and Next Gen Anti-Malware engines that are enabled for your account. The SaaS Security API engine scans the connector traffic and applies the action and tracking options that you configure for the rule:
-
Monitor the traffic (block will be supported soon)
-
Generate events
-
Send email notifications
When you create a SaaS Security API Threat Protection rule, the Anti-Malware engines that are enabled for your account (Security > Anti-Malware) perform malware scans on the files that are sent for that connector application.
The following screenshot shows a Threat Protection rule for the OneDrive connector that scans files sent by Internal users or Guests:
Sometimes there is file blocked by Cato's SaaS Security API engines that you know is safe, and you need to allow it in the network. The Events page lets you use the file hash to create exceptions that bypass the Threat Protection scans. After you open an event for the specific file that was blocked, click the file hash to open the Exception Configuration panel and add the file as an exception for the account. You can choose the time duration for the file exception, or configure the exception to last forever.
File Exceptions for Anti-Malware and SaaS Security API
File exceptions apply across the Anti-Malware and SaaS Security API Threat Protection policies. When you create exceptions from Anti-Malware and NG Anti-Malware events, these exceptions also apply to the SaaS Security API Threat Protection policy. Similarly, when you create file exceptions from SaaS Security API Anti-Malware events, the exceptions also apply to the Anti-Malware policy. The full file exception list is shown on both the Anti-Malware page and the SaaS Security API Threat Protection page.
To create an exception for a file:
-
From the navigation menu, select Monitoring > Events.
-
Filter for the event using the Sub-Type of SaaS Security API Anti Malware.
-
From the Time column, expand the event.
-
In the event, click the File Hash link.
The Exception Configuration panel opens.
-
From the Duration drop-down menu, select how long the file is excluded from the Anti-Malware and NG Anti-Malware engines.
To create a permanent exception, select Forever.
-
Click Apply.
The exception is created and added to the File Exceptions section in the Threat Protection tab, and in the Anti-Malware page.
Remove an exception for the Threat Protection policy when it is no longer necessary.
The Monitoring > Events screen shows all the SaaS Security API events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.
SaaS Security API events can be identified by the following fields:
-
Event Type - Security
-
Sub-Type - SaaS Security API Data Protection and SaaS Security API Anti Malware
You can learn more about using the Events screen here. You can use the SaaS Security API Data Protection preset to filter the events.
Field Name |
Description |
---|---|
Connector Name |
Name for the connector that is defined for the rule |
Connector Type |
SaaS app that is defined for this connector |
DLP Profile |
DLP Content Profile that generated this event |
File Name |
Name of the attached file |
Full Path URL |
Full URL of the file, table record, or attachment that generated this event |
Matched Data Types |
Data Types in the Content Profile that matched the rule |
Object Name |
Data for the ServiceNow object that generated the event:
|
Object Type |
Table record |
Owner |
Owner username |
Rule |
Name of the rule in the Data Protection policy |
Severity |
Severity defined for the rule |
0 comments
Please sign in to leave a comment.