Use an external ticketing system such as ServiceNow or IBM Resilient
to track incidents, problems, and tasks discovered by Guardium.
Before you begin
Before you can configure Guardium® for
external ticketing, make sure that your ticketing system is set up.Note: Before you
configure Guardium to use external ticketing with ServiceNow, make sure that the ServiceNow
Event Management Core app is available in your ServiceNow instance. You can
download the Event Management Core app from the ServiceNow store.
Depending on your ticketing system and the Guardium system that you configure, you
can select the mode to process ticket information, as follows.
Note: Before you configure an external ticketing system with Guardium
12.0 or later, make sure that the correct version of TLS is available.
For more information, see Managing the TLS version.
Procedure
-
Browse to .
- Click the icon to
open the External Ticketing System Configuration dialog.
- From the Account tab, use the Account menu
to select an existing ticketing system account or click the icon to add an account.
- From the Add account dialog, select, and configure
your ticketing system, as follows,
- For IBM Resilient, URL is the fully qualified domain name.
- For ServiceNow, URL is generally
<instanceName>.service-now.com.
When you create the first external account, Guardium automatically creates configurations for
all of the Guardium systems.
- Enter the username and password for your ticketing system, and then click Test
Connection to verify that Guardium can communicate with the ticketing system.
Note:
- The ticketing-system account must be able to create and read records that are used with the
integration. For example, if Incident records are used, the user must be able to create and read
Incident records.
- If prompted, follow the on-screen instructions for adding a security certificate for the
ticketing system: Download the certificate from the ticketing system and import it into Guardium
with the
store certificate keystore trusted console
CLI command.
- From the Settings tab, select the
Guardium system to configure. Systems are specific Guardium features that
support external ticketing integration.
- Then, depending on your ticketing system and the Guardium system that
you select, you can take one of the following steps:
- After you select the Guardium system and Table, use the Guardium fields controls to
create the message table that
Guardium sends to the ticketing system. The information that you supply depends on the external
ticketing system.
IBM Resilient tickets
- Name - A name or description of the external ticket type.
- Description - The Guardium fields to include in each ticket.
- Members - The member of the Resilient team to receive this ticket. A
member can be either one person or a group (that is defined in Resilient).
Note: In Guardium, you can
select only one member. You can add more ticket receivers in Resilient.
- Incident types - Select a Resilient incident type.
Note: Guardium
automatically creates configurations for all four of the Guardium systems. However, the
Incident type field is left blank. Since Incident type is required for
Resilient tickets, you need to select an incident type for each Resilient ticket type. You can set
the incident type either from the Guardium UI or the Resilient server.
- Click the
icon to add a field. For IBM Resilient, you can enter comments to include with a ticket.
ServiceNow tickets
For all ticket types (Tables), you can configure some or all of the following
information,
- From the Status tab, review ticketing-related log
information.
Use the
Enable debug checkbox to include debugging-level information in
the log.
Note: The Enable debug setting is saved when selected or
cleared.
- Click Save to save the configuration and exit the
External Ticketing System Configuration dialog.
- If needed, configure external tickets for the other available systems that are shown in
the External Ticketing System table.
What to do next
After you configure ticketing integration for specific Guardium systems, use the following
integration points in the Guardium UI to open new tickets.
Guardium system |
Integration point |
Alerter |
Browse to . Configure an alert. In the
Add receiver section, set Notification type to
TICKET. Tickets are created when the alert triggers.Attention: Verify that the alerter is active on startup: browse to
and select the Active on
startup checkbox. External ticketing integrates with the following types of alert notifications:
- Receivers defined in the Alert Builder
- Notifications defined for a security policy in the Policy Builder for
Data
- Tickets defined for receivers in the Audit Process
Builder.
|
Audit Process |
The audit process ticketing system uses the Alert integration point. Browse to
. Begin creating an audit process. From the Send
results section, select to add a receiver, and then set Receiver Type to
Ticket.
When the audit process runs, it generates the audit process
result as a PDF, which is attached to the ticket that is sent to the external ticketing system. The
URL to the ticket is stored in the Audit result table for external review.
Note: Audit process
results are purged following standard audit process rules. To set the purging rules, select
Show advanced options from the Create New Audit Process
or Details for: <audit process> page.
|
Policy Builder for Data |
Policy Builder for Data uses the Alert integration point. Browse to
. Begin creating a security policy. From Rule
Action, select ALERT ONCE PER SESSION or ALERT PER MATCH and then select
TICKET from the Add New Action window.
|
Risk Spotter |
Browse to . Select a user from the
Risky Users table and use the
. |
Threat Analytics |
Browse to . Select a case from
the table and use the . |
Vulnerability Assessment Results |
Browse to . Create and run an
assessment, then click View Results. For each result that meets the test result score criteria, click
Create ticket to open a ticket. |
View tickets that originate from the Guardium system by opening
.
Note: Ticket status is updated every hour. Closed tickets are
removed from the report after 30 days of inactivity.