If you're having trouble at any stage please contact us at support@skyformation.com.
Preface
ServiceNow provides a broad set of IT service management (ITSM) services delivered as a
cloud service. ServiceNow helps organizations move faster with infinite scalability and lower cost for their IT service management. But at the same time, the public cloud Software as a Service (SaaS) model
presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in ServiceNow account
- Retrieve the ServiceNow account activities as users’ access, permissions changes, tickets opened/resolved, incidents updated, security changes and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations in ServiceNow account
What is it
SkyFormation Cloud Connector for ServiceNow , is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the ServiceNow account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for ServiceNow retrieves the events from the ServiceNow service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
ServiceNow Audit Sources & Events Supported
Audit Source (API) | Service/Module Covered | Event Types | Events included |
---|---|---|---|
Event Logs | sysevent table events | The event log records all system events that occur within the system. events as login success, login failed, logout,attachment downloaded, user impersonation etc | |
System Audit | Users Management | sys_audit table events | User locked-out, unlocked, added, deleted, updated, activated, deactivated etc |
Password Management | Password rest, changed etc | ||
Resources Management | Resource created, deleted, updated etc | ||
System Audit Delete | Users Deletion | sys_audit_delete table | User deletion events |
Resource Deletion | sys_audit_delete table | Represents events related to deletion of resources in the system | |
User | User Management | sys_user table | Represents user management events as user profile edited, settings changed etc. |
Password History | History for the password field of the user | ||
Roles | Role Management | sys_audit_role table | Represents changes to user roles. |
Transaction Log | Transaction Log | syslog_transaction table | Represents transactions activities as resource viewed |
Report View | Reports Usage | Represents events related to reports usage as report run | |
System Attachment | Attachment Management | sys_attachment table | Represent activities related to attachments as attachment uploaded |
Comments
0 comments
Please sign in to leave a comment.