You can create orchestration rules in USM Anywhere that automatically trigger a ServiceNow response action when eventsAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall., alarmsAlarms provide notification of an event or sequence of events that require attention or investigation., or vulnerabilitiesA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. match the criteria that you specify. For example, you might create a rule where USM Anywhere automatically creates a new ServiceNow incident when malware is detected so that a member of your response team can manage and address the issue.
Note: Before creating a ServiceNow response action rule, the AlienApp for ServiceNow must be enabled and connected to your ServiceNow instance. See Configuring the AlienApp for ServiceNow for more information.
After you create a rule, new events, alarms, or vulnerabilities that match the rule conditions will trigger the ServiceNow response action to create a new incident. The rule does not trigger for existing events, alarms, or vulnerabilities.
You can create a new rule the following way:
From the Rules page: The Rules page provides access to all of your orchestration rules. The Orchestration Rules list includes suppression rules, alarm rules, filtering rules, notification rules, and response action rules. You can create new rules using the specific matching conditions that you define, as well as edit, delete, and enable or disable rules. See Orchestration Rules for more information about managing orchestration rules.
Go to Settings > Rules and select Response Action Rules on the left navigation panel. Then click Create Response Action Rule to define the new rule.
To define a new ServiceNow response based on orchestration
Enter a name for the rule.
Select ServiceNow for Action Type, and Create a new incident for App Action.
Set Service Desk as Incident Type. The available incident types depend on the ServiceNow products that are active for the ServiceNow user account configured for the AlienApp. Use the Service Desk type to open a service desk incident in the information technology service management (ITSM) product. If your account has the ServiceNow Security Incident Response (SIR) product enabled, you can use the Security type to open a security incident.
This uses the title of the alarm, event, or vulnerability that triggers the rule to populate the Short Description. Description will be populated with the following details, depending on the App Action and the selected checkboxes. The checkboxes for additional details are determined by those you selected on the Data Sources > Integrations > ServiceNow > Settings page during the ServiceNow AlienApp configuration.
- Include Fields: Select the checkboxes to include any of the information fields in your incident.
- Alarms: Select the checkboxes to include any of these fields from an Alarm in your incident.
- Events: Select the checkboxes to include any of these fields from an Event in your incident.
- Vulnerabilities: Select the checkboxes to include any of these fields from a Vulnerability in your incident.
- Additional Comments: Enter any additional information that you want to include in the notes field of the ServiceNow incident.
Additionally, you can further define the ServiceNow incident parameters that are populated by using the Urgency, Impact, and Category dropdown fields.
You can use the Assign To field to automatically assign all resulting incidents to a specific user. The field will suggest autocomplete options as you type the user name.
At the bottom of the dialog box, set the rule condition parameters to specify the criteria for a matching alarm or event to trigger the rule.
- This section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
- If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
- At the bottom of the dialog box, click More to display the optional multiple occurrence and window-length parameters.
Choose an operator and add one or more conditions to form the conditional expression. You can include a condition group to evaluate a subset of conditions. The Current Rule box displays the constructed expression in standard syntax. The box displays a red border if the expression is syntactically invalid as currently specified. A valid expression is required to save the rule definition.
It is important to be considerate of how the chosen conditions will match the events and whether they will have the attributes necessary to perform the desired action; any conditions that are matched but lack the correct attributes will be skipped.
Select the operator used to determine the match for multiple conditions.
- Select AND to match all conditions.
- Select OR to match any one condition.
- Select AND NOT to exclude items matching all conditions after the first.
- Select OR NOT to include all items that do not match any conditions after the first.
Click Add Condition to add a condition. For each condition, specify the field name, evaluator, and value. If the evaluation returns true for the condition, it is a match.
Click Add Group to add a condition group. A new group includes a condition and its own operator used to match the conditions within the group. You can nest condition groups.Occurrences
Specify the number of event or alarm occurrences that produce a match on the conditional expression to trigger the rule. The default value is 1. You can enter the number of occurrences or use the arrow to scroll the value up or down.
USM Anywhere uses this in conjunction with the Length option to specify the number of occurrences within a time period that will trigger the rule. For example, you can define a rule to trigger for an unauthorized access attempt when a failed SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). login occurs three times within a five-minute window.Length
Specify the length of the window to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours. This time period identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule does not trigger.
- Click Save Rule.
- In the confirmation dialog box, click OK.