Devo Alert Synchronizer ServiceNow app
- Juan Tomás Alonso Nieto (Deactivated)
- Anthony Shevlin (Deactivated)
- Borja Moro Moreno
Overview
This article describes how to install and configure the Devo Alert Synchronizer ServiceNow app in your ServiceNow instance, which allows you to keep the Devo alerts in synchronization with corresponding ServiceNow Security Incidents. The app mainly enables:
Creating Security Incidents in ServiceNow for the alerts created in the Devo platform.
Updating Devo alert statuses automatically when the state for the corresponding Security Incident is updated in ServiceNow.
Updating Devo alert priorities automatically when the priority for the corresponding Security Incident is updated in ServiceNow.
Prerequisites
Make sure you meet the following prerequisites:
You have access to Devo.
You have permissions to create a ServiceNow delivery method in Devo. Learn how to do it in this article.
Your ServiceNow platform is running the Quebec version or later.
You have administrator access to your ServiceNow instance (needed for installing the ServiceNow app from the ServiceNow Store).
The Security Incident Response Application is installed on your ServiceNow instance.
You have the API and token ready to be configured.
The URL for the API is different for each devo instance. An example is api-eu.devo.com.
Get the token from your Devo instance by going to Administration >> Credentials >> Tokens.
Installation
Install the Devo Alert Synchronizer ServiceNow app by following these steps:
Configuration
Follow these procedures to configure the Devo Alert Synchronizer ServiceNow app:
1. Create an app admin user
To configure the application, you need a user with enough privileges to send data from Devo to ServiceNow. Follow these steps to create a user with the required privileges in ServiceNow:
The above roles will add all the necessary privileges to send the alerts from Devo to ServiceNow.
2. Define the ServiceNow delivery method in Devo
Follow the instructions in this article to define and activate a ServiceNow delivery method in your Devo domain. This process will start sending the newly created alerts to the ServiceNow Devo alert table.
3. Devo Alert Synchronizer configuration
The app needs to be configured to use the Devo API credentials. These credentials will be used to call the Devo API, so that you can update the alert properties in the Devo instances.
Follow these steps to configure the Devo credentials.
Mapping Devo field values to ServiceNow field values
Once the application is configured successfully, the default mappings will be created in the Devo Alert Synchronizer Configuration.
If needed, the mappings can be changed as defined below:
New mapping data can be added by clicking the New button under the Status/Priority Mappings tabs.
The existing mappings can be edited by clicking on the mapping already present.
Integration workflow
Once the app is installed and configured, you can start using it. Below is the complete workflow of the integration. The steps mentioned below describe how a Devo alert is sent to ServiceNow and is updated when any updates in the ServiceNow Security Incident happens.
Security incident creation
The app transforms the Devo alerts to ServiceNow Security Incidents. The alerts are sent to ServiceNow using the ServiceNow Delivery Method.
Please note the following while creating the Delivery Method:
Deliver the alerts to ‘x_devo_alerts_sync_devo_alerts’ table, which already exists in ServiceNow instance after installation of Devo Alert Synchronizer app.
The ServiceNow user you are using to deliver alerts to ServiceNow should have the following roles enabled to create records in ‘x_devo_alerts_sync_devo_alerts’ table:
incident_manager
web_service_admin
x_devo_alerts_sync.app_admin
Once the delivery method starts sending the alert to the Devo Alert table in ServiceNow (with sys_id ‘x_devo_alerts_sync_devo_alerts’), a Security Incident will be created for each Devo alert. The Devo Alert table is an import set table, which uses the Transform Maps to map the fields from the Devo Alert table to the Security Incident table.
The following table shows the mapping of Devo specific fields to ServiceNow fields:
Devo Alert table field | Service Incident table field |
|---|---|
short_description | <not mapped> |
impact | <not mapped> |
urgency | <not mapped> |
assignment_group | Assignment Group |
company | Company |
alarm_name | Short Description |
context | <not mapped> |
engine | <not mapped> |
id | Correlation ID |
category | Category |
priority | Priority |
creation_date | <not mapped> |
status | State |
user_name | <not mapped> |
category_name | Category |
subcategory_name | Sub-Category |
source_domain | <not mapped> |
description | Description |
extradata | Work Notes |
The above is the default transformation mapping used by the app. If you want to customise the transformation maps, you can do it by clicking Transform Maps at the bottom of the Devo Alert table. This opens the Table Transform Map that can be customised.
Incident status update
Once the Security Incidents are created in the ServiceNow instance, they can be correlated with the Correlation ID of the Security Incident. If the state of the Security Incident is updated, the app calls the Devo API to update the status of the corresponding alert in the Devo platform.
This feature leverages the ServiceNow state to the Devo status mapping as defined in the advanced configuration.
Incident priority update
Just like the status, if the priority of the Security Incident is updated, the app calls the Devo API to update the priority of the corresponding alert in the Devo platform.
This feature leverages the ServiceNow Priority to the Devo priority mapping as defined in the advanced configuration.
Troubleshooting
ServiceNow logs different information (info, debug, error). The application logs can be checked in System Logs → System Log → Application Logs. Note that you need the System Administrator (admin) role to see this area.