Document toolboxDocument toolbox

Devo Alert Synchronizer ServiceNow app

Overview

This article describes how to install and configure the Devo Alert Synchronizer ServiceNow app in your ServiceNow instance, which allows you to keep the Devo alerts in synchronization with corresponding ServiceNow Security Incidents. The app mainly enables:

  • Creating Security Incidents in ServiceNow for the alerts created in the Devo platform.

  • Updating Devo alert statuses automatically when the state for the corresponding Security Incident is updated in ServiceNow.

  • Updating Devo alert priorities automatically when the priority for the corresponding Security Incident is updated in ServiceNow.

Prerequisites

Make sure you meet the following prerequisites:

  • You have access to Devo.

  • You have permissions to create a ServiceNow delivery method in Devo. Learn how to do it in this article.

  • Your ServiceNow platform is running the Quebec version or later.

  • You have administrator access to your ServiceNow instance (needed for installing the ServiceNow app from the ServiceNow Store).

  • The Security Incident Response Application is installed on your ServiceNow instance.

  • You have the API and token ready to be configured.

The URL for the API is different for each devo instance. An example is api-eu.devo.com.

Get the token from your Devo instance by going to Administration >> Credentials >> Tokens.

Installation

Install the Devo Alert Synchronizer ServiceNow app by following these steps:

Configuration

Follow these procedures to configure the Devo Alert Synchronizer ServiceNow app:

1. Create an app admin user

To configure the application, you need a user with enough privileges to send data from Devo to ServiceNow. Follow these steps to create a user with the required privileges in ServiceNow:

The above roles will add all the necessary privileges to send the alerts from Devo to ServiceNow.

2. Define the ServiceNow delivery method in Devo

Follow the instructions in this article to define and activate a ServiceNow delivery method in your Devo domain. This process will start sending the newly created alerts to the ServiceNow Devo alert table.

3. Devo Alert Synchronizer configuration

The app needs to be configured to use the Devo API credentials. These credentials will be used to call the Devo API, so that you can update the alert properties in the Devo instances.

Follow these steps to configure the Devo credentials.

Mapping Devo field values to ServiceNow field values

Once the application is configured successfully, the default mappings will be created in the Devo Alert Synchronizer Configuration.

If needed, the mappings can be changed as defined below:

  • New mapping data can be added by clicking the New button under the Status/Priority Mappings tabs.

  • The existing mappings can be edited by clicking on the mapping already present.

Integration workflow

Once the app is installed and configured, you can start using it. Below is the complete workflow of the integration. The steps mentioned below describe how a Devo alert is sent to ServiceNow and is updated when any updates in the ServiceNow Security Incident happens.

Security incident creation

The app transforms the Devo alerts to ServiceNow Security Incidents. The alerts are sent to ServiceNow using the ServiceNow Delivery Method.

Please note the following while creating the Delivery Method:

  1. Deliver the alerts to  ‘x_devo_alerts_sync_devo_alerts’ table, which already exists in ServiceNow instance after installation of Devo Alert Synchronizer app.

  2. The ServiceNow user you are using to deliver alerts to ServiceNow should have the following roles enabled to create records in ‘x_devo_alerts_sync_devo_alerts’ table:

    1. incident_manager

    2. web_service_admin

    3. x_devo_alerts_sync.app_admin

Once the delivery method starts sending the alert to the Devo Alert table in ServiceNow (with sys_id ‘x_devo_alerts_sync_devo_alerts’), a Security Incident will be created for each Devo alert. The Devo Alert table is an import set table, which uses the Transform Maps to map the fields from the Devo Alert table to the Security Incident table.

The following table shows the mapping of Devo specific fields to ServiceNow fields:

Devo Alert table field

Service Incident table field

Devo Alert table field

Service Incident table field

short_description

Short Description

impact

<not mapped>

urgency

<not mapped>

assignment_group

Assignment Group

company

Company

alarm_name

<not mapped>

context

<not mapped>

engine

<not mapped>

id

Correlation ID

category

Category

priority

Priority

creation_date

<not mapped>

status

State

user_name

<not mapped>

category_name

Category

subcategory_name

Sub-Category

source_domain

<not mapped>

description

Description

extradata

Work Notes

The above is the default transformation mapping used by the app. If you want to customise the transformation maps, you can do it by clicking Transform Maps at the bottom of the Devo Alert table. This opens the Table Transform Map that can be customised.

Incident status update

Once the Security Incidents are created in the ServiceNow instance, they can be correlated with the Correlation ID of the Security Incident. If the state of the Security Incident is updated, the app calls the Devo API to update the status of the corresponding alert in the Devo platform.

This feature leverages the ServiceNow state to the Devo status mapping as defined in the advanced configuration.

Incident priority update

Just like the status, if the priority of the Security Incident is updated, the app calls the Devo API to update the priority of the corresponding alert in the Devo platform.

This feature leverages the ServiceNow Priority to the Devo priority mapping as defined in the advanced configuration.

Troubleshooting

ServiceNow logs different information (info, debug, error). The application logs can be checked in System Logs → System Log → Application Logs. Note that you need the System Administrator (admin) role to see this area.