Use an external ticketing system such as ServiceNow or IBM Resilient
to track incidents, problems, and tasks discovered by Guardium.
Before you begin
Before you can configure Guardium® for
external ticketing, make sure that your ticketing system is set up.
Procedure
-
Browse to .
- Click the icon to
open the External Ticketing System Configuration dialog.
- From the Account tab, use the Account menu
to select an existing ticketing system account or click the icon to add an account.
- From the Add account dialog, select, and configure
your ticketing system, as follows,
- For IBM Resilient, URL is the fully qualified domain name.
- For ServiceNow, URL is generally
<instanceName>.service-now.com.
When you create the first external account, Guardium automatically creates configurations for
all of the Guardium systems.
- Enter the username and password for your ticketing system, and then click Test
Connection to verify that Guardium can communicate with the ticketing system.
Note:
- The ticketing-system account must be able to create and read records that are used with the
integration. For example, if Incident records are used, the user must be able to create and read
Incident records.
- If prompted, follow the on-screen instructions for adding a security certificate for the
ticketing system: Download the certificate from the ticketing system and import it into Guardium
with the
store certificate keystore trusted console
CLI command.
- From the Settings tab, select the
Guardium system, and then select the Template to configure.
Systems are specific Guardium features
that support external ticketing integration.
Templates identify the type of ticket that is opened on the
ticketing system.
Each template provides options for the selected system. For example, if you select the
Vulnerability Assessment Results system, you can select the specific severity
for which you want to automatically create tickets.
For
ServiceNow, you can search for specific text in certain fields,
such as a table or assignment group (depending on the Guardium system). To search for a specific item,
- Click the icon to open the
Search page for that item.
- In the search box, enter all or part of the text for the item you want to find, and then click
Search.
- Select the item that you want from the list, and click Add.
If needed, click the icon to clear the text.
- After you select the Guardium system and Template, use the Guardium fields controls to
create the message template that
Guardium sends to the ticketing system. The information that you supply depends on the external
ticketing system.
IBM Resilient tickets
- Name - A name or description of the external ticket type.
- Description - The Guardium fields to include in each ticket.
- Members - The member of the Resilient team to receive this ticket. A
member can be either one person or a group (that is defined in Resilient).
Note: In Guardium, you can
select only one member. You can add more ticket receivers in Resilient.
- Incident types - Select a Resilient incident type.
Note: Guardium
automatically creates configurations for all four of the Guardium systems. However, the
Incident type field is left blank. Since Incident type is required for
Resilient tickets, you need to select an incident type for each Resilient ticket type. You can set
the incident type either from the Guardium UI or the Resilient server.
- Click the
icon to add a field. For IBM Resilient, you can enter comments to include with a ticket.
ServiceNow tickets
- From the Status tab, review ticketing-related log
information.
Use the
Enable debug checkbox to include debugging-level information in
the log.
Note: The Enable debug setting is saved when selected or
cleared.
- Click Save to save the configuration and exit the
External Ticketing System Configuration dialog.
- If needed, configure external tickets for the other available systems that are shown in
the External Ticketing System table.
What to do next
After you configure ticketing integration for specific Guardium systems, use the following
integration points in the Guardium UI to open new tickets.
Guardium system |
Integration point |
Alerter |
Browse to . Configure an alert. In the
Add receiver section, set Notification type to
TICKET. Tickets are created when the alert triggers.Attention: Verify that the alerter is active on startup: browse to
and select the Active on
startup checkbox. External ticketing integrates with the following types of alert notifications:
- Receivers defined in the Alert Builder
- Notifications defined for a security policy in the Policy Builder for
Data
- Tickets defined for receivers in the Audit Process
Builder.
|
Audit Process |
The audit process ticketing system uses the Alert integration point. Browse to
. Begin creating an audit process. From the Send
results section, select to add a receiver, and then set Receiver Type to
Ticket.
When the audit process runs, it generates the audit process
result as a PDF, which is attached to the ticket that is sent to the external ticketing system. The
URL to the ticket is stored in the Audit result table for external review.
Note: Audit process
results are purged following standard audit process rules. To set the purging rules, select
Show advanced options from the Create New Audit Process
or Details for: <audit process> page.
|
Policy Builder for Data |
Policy Builder for Data uses the Alert integration point. Browse to
. Begin creating a security policy. From Rule
Action, select ALERT ONCE PER SESSION or ALERT PER MATCH and then select
TICKET from the Add New Action window.
|
Risk Spotter |
Browse to . Select a user from the
Risky Users table and use the
. |
Threat Analytics |
Browse to . Select a case from
the table and use the . |
Vulnerability Assessment Results |
Browse to . Create and run an
assessment, then click View Results. For each failed
result, click Create ticket to open a
ticket. |
View tickets that originate from the Guardium system by opening
.
Note: Ticket status is updated every hour. Closed tickets are
removed from the report after 30 days of inactivity.