Configuring an external ticketing system

Use an external ticketing system such as ServiceNow or IBM Resilient to track incidents, problems, and tasks discovered by Guardium.

Before you begin

Before you can configure Guardium® for external ticketing, make sure that your ticketing system is set up.
Note: Before you configure Guardium to use external ticketing with ServiceNow, make sure that the ServiceNow Event Management Core app is available in your ServiceNow instance. You can download the Event Management Core app from the ServiceNow store.
Depending on your ticketing system and the Guardium system that you configure, you can select the mode to process ticket information, as follows.
  • Table - Identifies the type of ticket that is opened on the ticketing system. Each table provides options for the selected system. For example, if you select the Vulnerability Assessment Results system, you can select the specific severity for which you want to automatically create tickets.
  • Event - For Alert and Vulnerability Assessment systems with ServiceNow, select Event to send an event to ServiceNow when a Guardium alert occurs. Upon receiving events, ServiceNow generates alerts based on ServiceNow event and alert management rules.

    No roles are required to create an event, as long as the ServiceNow user account from the Guardium external ticketing configuration has permission to connect to the ServiceNow instance.

Note: Before you configure an external ticketing system with Guardium 12.0 or later, make sure that the correct version of TLS is available. For more information, see Managing the TLS version.

Procedure

  1. Browse to Setup > Tools and Views > External Ticketing System.
  2. Click the new icon to open the External Ticketing System Configuration dialog.
  3. From the Account tab, use the Account menu to select an existing ticketing system account or click the new icon to add an account.
  4. From the Add account dialog, select, and configure your ticketing system, as follows,
    • For IBM Resilient, URL is the fully qualified domain name.
    • For ServiceNow, URL is generally <instanceName>.service-now.com.
    When you create the first external account, Guardium automatically creates configurations for all of the Guardium systems.
  5. Enter the username and password for your ticketing system, and then click Test Connection to verify that Guardium can communicate with the ticketing system.
    Note:
    • The ticketing-system account must be able to create and read records that are used with the integration. For example, if Incident records are used, the user must be able to create and read Incident records.
    • If prompted, follow the on-screen instructions for adding a security certificate for the ticketing system: Download the certificate from the ticketing system and import it into Guardium with the store certificate keystore trusted console CLI command.
  6. From the Settings tab, select the Guardium system to configure. Systems are specific Guardium features that support external ticketing integration.
  7. Then, depending on your ticketing system and the Guardium system that you select, you can take one of the following steps:
    • For IBM Resilient, select the Guardium system that you want to configure from the Settings tab, and then select the Table to configure.
    • For ServiceNow, when you select either Risk Spotter or Threat Analytics, select the Table to configure.

      If you select either Alerter or Vulnerability Assessment as the Guardium system, you can choose either Event or Table mode.

      If you select Table mode for ServiceNow, you also need to select the table you want to use. You can search for a table (or other items, such as an assignment group, depending on the Guardium system). To search for a specific table name or other item,
      1. Click the search icon icon to open the Search page for that item.
      2. In the search box, enter all or part of the text for the item you want to find, and then click Search.
      3. Select the item that you want from the list, and click Add.

        If needed, click the Clear icon icon to clear the text.

      When you select Vulnerability Assessment in either Event or Table mode, you can also specify the conditions for which you automatically want to create events or tickets. The conditions are defined as part of the Guardium assessment. Enter the following information in Automatically create events/tickets when these conditions are met,
      • Severity - Select one or more severity settings for which to create an event or ticket. You can select as many settings as needed.
      • Test result score - Select one or more result scores. You can select as many settings as needed.
      For more information, see Introducing Guardium Vulnerability Assessment.
  8. After you select the Guardium system and Table, use the Guardium fields controls to create the message table that Guardium sends to the ticketing system. The information that you supply depends on the external ticketing system.


    IBM Resilient tickets

    • Name - A name or description of the external ticket type.
    • Description - The Guardium fields to include in each ticket.
    • Members - The member of the Resilient team to receive this ticket. A member can be either one person or a group (that is defined in Resilient).
      Note: In Guardium, you can select only one member. You can add more ticket receivers in Resilient.
    • Incident types - Select a Resilient incident type.
      Note: Guardium automatically creates configurations for all four of the Guardium systems. However, the Incident type field is left blank. Since Incident type is required for Resilient tickets, you need to select an incident type for each Resilient ticket type. You can set the incident type either from the Guardium UI or the Resilient server.
    • Click the additional field icon to add a field. For IBM Resilient, you can enter comments to include with a ticket.


    ServiceNow tickets

    For all ticket types (Tables), you can configure some or all of the following information,

    • Short description - A short description of the external ticket type.
    • Description - The Guardium fields to include in each ticket
    • Assignment group - The ServiceNow group to assign this ticket to.
    • Click the additional field icon to configure extra fields. For ServiceNow, you can enter comments to include with a ticket or other information (depending on the Guardium system and table).
      Note: ServiceNow supports both comments and work notes. Only comments entered into the ServiceNow Additional comments (customer visible) field display in the Guardium External Tickets report.
  9. From the Status tab, review ticketing-related log information.
    Use the Enable debug checkbox to include debugging-level information in the log.
    Note: The Enable debug setting is saved when selected or cleared.
  10. Click Save to save the configuration and exit the External Ticketing System Configuration dialog.
  11. If needed, configure external tickets for the other available systems that are shown in the External Ticketing System table.

What to do next

After you configure ticketing integration for specific Guardium systems, use the following integration points in the Guardium UI to open new tickets.
Guardium system Integration point
Alerter Browse to Protect > Database Intrusion Detection > Alert Builder. Configure an alert. In the Add receiver section, set Notification type to TICKET. Tickets are created when the alert triggers.
Attention: Verify that the alerter is active on startup: browse to Setup > Tools and Views > Alerter and select the Active on startup checkbox.
External ticketing integrates with the following types of alert notifications:
  • Receivers defined in the Alert Builder
  • Notifications defined for a security policy in the Policy Builder for Data
  • Tickets defined for receivers in the Audit Process Builder.
Audit Process The audit process ticketing system uses the Alert integration point.

Browse to Comply > Tools and Views > Audit Process Builder. Begin creating an audit process. From the Send results section, select Add to add a receiver, and then set Receiver Type to Ticket.

When the audit process runs, it generates the audit process result as a PDF, which is attached to the ticket that is sent to the external ticketing system. The URL to the ticket is stored in the Audit result table for external review.

Note: Audit process results are purged following standard audit process rules. To set the purging rules, select Show advanced options from the Create New Audit Process or Details for: <audit process> page.
Policy Builder for Data Policy Builder for Data uses the Alert integration point.

Browse to Protect > Security Policies > Policy Builder for Data. Begin creating a security policy. From Rule Action, select ALERT ONCE PER SESSION or ALERT PER MATCH and then select TICKET from the Add New Action window.

Risk Spotter Browse to Protect > Uncover Threat Vectors > Active Risk Spotter. Select a user from the Risky Users table and use the Actions > Create ticket.
Threat Analytics Browse to Protect > Uncover Threat Vectors > Active Threat Analytics. Select a case from the table and use the Actions > Create ticket.
Vulnerability Assessment Results Browse to Harden > Vulnerability Assessment > Assessment Builder. Create and run an assessment, then click View Results. For each result that meets the test result score criteria, click Create ticket to open a ticket.
View tickets that originate from the Guardium system by opening Setup > Reports > External Tickets.
Note: Ticket status is updated every hour. Closed tickets are removed from the report after 30 days of inactivity.