If you're having trouble at any stage please contact us at firstname.lastname@example.org.
ServiceNow provides a broad set of IT service management (ITSM) services delivered as a
cloud service. ServiceNow helps organizations move faster with infinite scalability and lower cost for their IT service management. But at the same time, the public cloud Software as a Service (SaaS) model
presents the organization with new security challenges.
The main challenges and needs are to:
- Get and retain full audit of activities in ServiceNow account
- Retrieve the ServiceNow account activities as users’ access, permissions changes, tickets opened/resolved, incidents updated, security changes and more.
- The granular activities should be available at the organization’s central log or event management system for compliance, investigation or forensic needs.
- Detect security threats and policy violations in ServiceNow account
What is it
SkyFormation Cloud Connector for ServiceNow , is part of the SkyFormation Cloud Connectors module. It continuously ingests audit events from multiple audit sources in the ServiceNow account, unify the events into a common application events format, enrich the events with needed detection context and send the events to any existing SIEM/SOC system.
How it works
SkyFormation Cloud Connector for ServiceNow retrieves the events from the ServiceNow service through the service APIs. Before sending the events to the existing SIEM/SOC system the connector will
- Unify the events into the SkyFormation unified application events format
- Embed the origin event into the SkyFormation event
- Complement the event with missing information
- Enrich the event with detection context as AD identity information
- Encode the resulted event into a standard format as CEF
- Send the event to the existing SIEM/SOC system over syslog
ServiceNow Audit Sources & Events Supported
|Audit Source (API)||Service/Module Covered||Event Types||Events included|
|Event Logs||sysevent table events||The event log records all system events that occur within the system. events as login success, login failed, logout,attachment downloaded, user impersonation etc|
|System Audit||Users Management||sys_audit table events||User locked-out, unlocked, added, deleted, updated, activated, deactivated etc|
|Password Management||Password rest, changed etc|
|Resources Management||Resource created, deleted, updated etc|
|System Audit Delete||Users Deletion||sys_audit_delete table||User deletion events|
|Resource Deletion||sys_audit_delete table||Represents events related to deletion of resources in the system|
|User||User Management||sys_user table||Represents user management events as user profile edited, settings changed etc.|
|Password History||History for the password field of the user|
|Roles||Role Management||sys_audit_role table||Represents changes to user roles.|
|Transaction Log||Transaction Log||syslog_transaction table||Represents transactions activities as resource viewed|
|Report View||Reports Usage||Represents events related to reports usage as report run|
|System Attachment||Attachment Management||sys_attachment table||Represent activities related to attachments as attachment uploaded|