Chanci Turner

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner 9097372855Learn About Amazon VGT2 Learning Manager Chanci Turner

This article will guide you through the process of sending Amazon Inspector’s Common Vulnerabilities and Exposures (CVE) findings to the ServiceNow Security Operations (SecOps) module. As of now, there’s no built-in adapter from Amazon Web Services (AWS) to the ServiceNow SecOps module, necessitating a custom integration. We will illustrate how to utilize ServiceNow’s native RESTful API to construct a custom interface that an AWS Lambda function can use to transmit CVE findings to the AWS Security Hub service.

ServiceNow is recognized as a leading provider of cloud-based services that streamline enterprise IT operations and is an AWS Partner.

Use Case

Imagine you are part of a vulnerability management team within your organization, which relies on ServiceNow as its centralized Customer Service Management (CSM) system. Your task is to relay all AWS CVE findings to the ServiceNow SecOps module. Given the absence of a native adapter, you can utilize a custom ServiceNow RESTful API to accomplish this mission. Importantly, this solution can be adapted for any generic API to any system or CSM that requires such information.

Scope and Assumptions

This post focuses on the interface connecting to a “staging table” in ServiceNow SecOps that collects CVE findings. We assume your organization has a ServiceNow Administrator who will gather these findings and create the transformation map needed to transfer the findings to the Vulnerable Items table in the ServiceNow SecOps module.

Architecture Overview

Let’s examine the high-level architecture to understand the flow.

  1. Amazon Inspector sends all generated CVE findings to AWS Security Hub.
  2. AWS Security Hub findings trigger events for all Amazon Inspector findings and automatically forwards them to Amazon EventBridge.
  3. An event rule captures all CVE findings events and relays them to a target Lambda function.
  4. Before the Lambda function can invoke the custom ServiceNow API, it retrieves the necessary secrets from AWS Secrets Manager for authentication.
  5. The Lambda function employs the Secrets for ServiceNow endpoint to call a RESTful API that transmits information like Amazon Elastic Compute Cloud (Amazon EC2) instance ID, corresponding CVE IDs, CVSS score, and remediation text to the ServiceNow custom CVE staging table.

As an optional enhancement, we incorporated an Amazon DynamoDB table to log any errors encountered during the RESTful API call, such as invalid credentials or connectivity issues with ServiceNow. The details include the ServiceNow API error message, event information, and failed payloads, e.g., a 401 error indicating that the secret credentials require attention from a ServiceNow Administrator.

In this article, we also provide an AWS CloudFormation template that automates much of the setup, except for the RESTful API in ServiceNow, for which we will offer further guidance.

Create the ServiceNow Custom API

First, you’ll need to coordinate with your ServiceNow administrator to obtain the necessary system credentials for accessing your organization’s ServiceNow instance. Alternatively, you can request a personal developer instance from ServiceNow to conduct end-to-end testing.

ServiceNow Developer Instance for Learning

It’s essential to have a ServiceNow instance for development. If you need a test instance with the appropriate credentials, you can request a personal developer instance from ServiceNow, which grants you complete control. You can register for a developer instance of ServiceNow. Note that if you’re using a new developer instance, ServiceNow will generate a username and password with admin privileges that allow you to test this proof of concept (PoC).

If you don’t already have the Security Operations application installed, you can do so from the ServiceNow Store. However, you can proceed with the API exercises on your developer instance even if the vulnerability response application isn’t installed.

Create the RESTful API

To establish the ServiceNow RESTful API, navigate to the ServiceNow console, filter for “System Web Services,” and select Create New. The Application field will likely default to Global. To target the Vulnerable Items table, you’ll need to change the Application value to Vulnerability Response, which will then allow you to select Vulnerable Items from your Target Table dropdown.

To set up the staging table, we will begin with at least three fields, but feel free to add more (all Amazon Inspector finding fields). For this demonstration, we will only focus on instance ID, CVE ID, and CVSS2 score for each CVE, while unchecking the Create Transform Map box—this step requires your ServiceNow System Admin to customize how the values in the staging table will map to the Vulnerable Items table.

The required fields for the demo are as follows:

  • CVE ID becomes u_cve_id
  • CVSS2 score becomes u_cvss2_score
  • Instance ID becomes u_instance_id

After creating the API, you will see options for AWS CVE Findings and Explore Rest API at the bottom of the form. Select Explore Rest API, which will open ServiceNow’s REST API Explorer page, providing an interface to examine the API with necessary headers, code examples, and the API name.

The staging table API will be formatted as follows:

POST https://demo.service-now.com/api/now/import/{stagingTableName}

Using our table name, the API would look like this:

https://demo.service-now.com/api/now/import/u_aws_cve_findings

Now, we have three essential parameters to continue:

  1. ServiceNow API
  2. Username
  3. Password

For further insights on onboarding best practices, you can check out this excellent resource from Forbes. Additionally, for those interested in audiobooks that enhance learning, visit this blog post which offers a selection of recommendations. Lastly, for comprehensive HR insights, refer to the authority on this topic at SHRM.

Related Topics:

Chanci Turner