Configuring an external ticketing system

Use an external ticketing system such as ServiceNow or IBM Resilient to track incidents, problems, and tasks discovered by Guardium.

Before you begin

Before you can configure Guardium® for external ticketing, make sure that your ticketing system is set up.

Procedure

  1. Browse to Setup > Tools and Views > External Ticketing System.
  2. Click the new icon to open the External Ticketing System Configuration dialog.
  3. From the Account tab, use the Account menu to select an existing ticketing system account or click the new icon to add an account.
  4. From the Add account dialog, select, and configure your ticketing system, as follows,
    • For IBM Resilient, URL is the fully qualified domain name.
    • For ServiceNow, URL is generally <instanceName>.service-now.com.
    When you create the first external account, Guardium automatically creates configurations for all of the Guardium systems.
  5. Enter the username and password for your ticketing system, and then click Test Connection to verify that Guardium can communicate with the ticketing system.
    Note:
    • The ticketing-system account must be able to create and read records that are used with the integration. For example, if Incident records are used, the user must be able to create and read Incident records.
    • If prompted, follow the on-screen instructions for adding a security certificate for the ticketing system: Download the certificate from the ticketing system and import it into Guardium with the store certificate keystore trusted console CLI command.
  6. From the Settings tab, select the Guardium system, and then select the Template to configure.
    Systems are specific Guardium features that support external ticketing integration. Templates identify the type of ticket that is opened on the ticketing system.

    Each template provides options for the selected system. For example, if you select the Vulnerability Assessment Results system, you can select the specific severity for which you want to automatically create tickets.

    For ServiceNow, you can search for specific text in certain fields, such as a table or assignment group (depending on the Guardium system). To search for a specific item,
    1. Click the search icon icon to open the Search page for that item.
    2. In the search box, enter all or part of the text for the item you want to find, and then click Search.
    3. Select the item that you want from the list, and click Add.

    If needed, click the Clear icon icon to clear the text.

  7. After you select the Guardium system and Template, use the Guardium fields controls to create the message template that Guardium sends to the ticketing system. The information that you supply depends on the external ticketing system.


    IBM Resilient tickets

    • Name - A name or description of the external ticket type.
    • Description - The Guardium fields to include in each ticket.
    • Members - The member of the Resilient team to receive this ticket. A member can be either one person or a group (that is defined in Resilient).
      Note: In Guardium, you can select only one member. You can add more ticket receivers in Resilient.
    • Incident types - Select a Resilient incident type.
      Note: Guardium automatically creates configurations for all four of the Guardium systems. However, the Incident type field is left blank. Since Incident type is required for Resilient tickets, you need to select an incident type for each Resilient ticket type. You can set the incident type either from the Guardium UI or the Resilient server.
    • Click the additional field icon to add a field. For IBM Resilient, you can enter comments to include with a ticket.


    ServiceNow tickets

    • Short description - A short description of the external ticket type.
    • Description - The Guardium fields to include in each ticket
    • Assignment group - The ServiceNow group to assign this ticket to.
    • Click the additional field icon to configure extra fields. For ServiceNow, you can enter comments to include with a ticket or other information (depending on the Guardium system and template).
      Note: ServiceNow supports both comments and work notes. Only comments entered into the ServiceNow Additional comments (customer visible) field display in the Guardium External Tickets report.
  8. From the Status tab, review ticketing-related log information.
    Use the Enable debug checkbox to include debugging-level information in the log.
    Note: The Enable debug setting is saved when selected or cleared.
  9. Click Save to save the configuration and exit the External Ticketing System Configuration dialog.
  10. If needed, configure external tickets for the other available systems that are shown in the External Ticketing System table.

What to do next

After you configure ticketing integration for specific Guardium systems, use the following integration points in the Guardium UI to open new tickets.
Guardium system Integration point
Alerter Browse to Protect > Database Intrusion Detection > Alert Builder. Configure an alert. In the Add receiver section, set Notification type to TICKET. Tickets are created when the alert triggers.
Attention: Verify that the alerter is active on startup: browse to Setup > Tools and Views > Alerter and select the Active on startup checkbox.
External ticketing integrates with the following types of alert notifications:
  • Receivers defined in the Alert Builder
  • Notifications defined for a security policy in the Policy Builder for Data
  • Tickets defined for receivers in the Audit Process Builder.
Audit Process The audit process ticketing system uses the Alert integration point.

Browse to Comply > Tools and Views > Audit Process Builder. Begin creating an audit process. From the Send results section, select Add to add a receiver, and then set Receiver Type to Ticket.

When the audit process runs, it generates the audit process result as a PDF, which is attached to the ticket that is sent to the external ticketing system. The URL to the ticket is stored in the Audit result table for external review.

Note: Audit process results are purged following standard audit process rules. To set the purging rules, select Show advanced options from the Create New Audit Process or Details for: <audit process> page.
Policy Builder for Data Policy Builder for Data uses the Alert integration point.

Browse to Protect > Security Policies > Policy Builder for Data. Begin creating a security policy. From Rule Action, select ALERT ONCE PER SESSION or ALERT PER MATCH and then select TICKET from the Add New Action window.

Risk Spotter Browse to Protect > Uncover Threat Vectors > Active Risk Spotter. Select a user from the Risky Users table and use the Actions > Create ticket.
Threat Analytics Browse to Protect > Uncover Threat Vectors > Active Threat Analytics. Select a case from the table and use the Actions > Create ticket.
Vulnerability Assessment Results Browse to Harden > Vulnerability Assessment > Assessment Builder. Create and run an assessment, then click View Results. For each failed result, click Create ticket to open a ticket.
View tickets that originate from the Guardium system by opening Setup > Reports > External Tickets.
Note: Ticket status is updated every hour. Closed tickets are removed from the report after 30 days of inactivity.