ServiceNow

BeyondInsight allows you to import and export asset data between the BeyondInsight database and your ServiceNow instance using connectors.

You can also configure integration between ServiceNow and the Password Safe Ticket System to allow for ticket validation prior to users gaining access to privileged passwords and sessions. This integration includes options to auto-approve ticket validation, and break glass functionality for emergency approval in the case where ServiceNow is unavailable.

The following connectors can be created in BeyondInsight to connect to your ServiceNow server:

• ServiceNow Export Connector
• ServiceNow Scan Target Collector
• ServiceNow Ticket System

ServiceNow Asset Import Collector

Configure ServiceNow Scan Target Collector

To configure the ServiceNow Scan Target Collector, you must do the following:

• Create a connection to your ServiceNow instance.
• Create a Smart Group with parameters configured to include the assets (host and IP address) to import from ServiceNow. After the Smart Rule is created, the data in the rule is refreshed and exported based on the Smart Rule Action expiration period, which is every hour by default.

ℹ️

Note

BeyondInsight supports only ServiceNow Cloud Solutions.

Create ServiceNow Scan Target Collector

After the connector is tested and saved, each scheduled run retrieves ServiceNow data from the defined table that has an entry in one of the defined fields (valid IP address or DNS defined).

ℹ️

Note

There might be a large number of records to import from ServiceNow. You can change the default value in the RemManagerSvc.ece.config file.

After the data is retrieved, the data is stored in the BeyondInsight database.

1. In BeyondInsight, go to Configuration > General > Connectors.
2. From the Connectors pane, click Create New Connector.
3. Enter a name for the connector.
4. Select ServiceNow Scan Target Collector from the Connector Type dropdown list.
5. Click Create Connector.
6. Select the applicable Organization from the dropdown list.
7. Leave Active enabled. Asset data is imported from ServiceNow only when the connector is active.
8. Enter a ServiceNow Username and Password. The credentials for the ServiceNow system must provide access to the web service and be able to create requests.
9. Enter the ServiceNow instance URL.
10. Enter the Source Table. The default value is cmdb_ci_computer.
11. Enter the information from the ServiceNow table that you want to import to BeyondInsight. The default values are ip_address and fqdn.
12. Set the scheduling options to synchronize ServiceNow with the BeyondInsight database. Time period options change depending on the Frequency.
13. Enter the Start date and time for synchronization to begin.
14. Click Test Connector to ensure the connection to the ServiceNow instance is working.
15. Enable Run immediately After Save if desired.
16. Click Create Connector.

Create a Smart Group

Once the data is in the BeyondInsight database, you can create a Smart Group based on the ServiceNow assets. When creating the Smart Group, ensure you select ServiceNow Assets from the dropdown in the Selection Criteria.

When the Smart Group processes, the DNS name is always used when it exists. The IP address is used to determine assets in the Smart Group when that option is enabled.

Change the batch size limit for import file

Depending on the environment, there may be a large number of records to import. You can set the importBatchLimit value in the RemManagerSvc.exe.config file, located in the BeyondInsight installation directory. The default limit set in the file is 5000. You cannot enter a value greater than 10000.

ServiceNow Export Connector

There are two steps to configure a ServiceNow export connector:

• Create a connection to your ServiceNow instance.
• Create a Smart Group with parameters configured to include the assets (and data) to export to ServiceNow. After the Smart Rule is created, the data in the rule is refreshed and exported based on the Smart Rule Action expiration period, which is every hour by default.

Create ServiceNow export connector

Follow the steps below to create the connector:

1. In BeyondInsight, go to Configuration > General > Connectors.
2. From the Connectors pane, click Create New Connector.
3. Enter a name for the connector.
4. Select ServiceNow Export Connector from the Connector Type dropdown list.
5. Click Create Connector.
6. Select the applicable Organization from the dropdown list.
7. Leave Active enabled. Asset data is imported from ServiceNow only when the connector is active.
8. Enter a ServiceNow Username and Password. The credentials for the ServiceNow system must provide access to the web service and be able to create requests.
9. If you are using an older version of ServiceNow and you are using update sets, enable the Using Update Set option.
10. Enable Asset Export Active.
11. Enter the URL to the ServiceNow instance in Asset Web Service URL box.
12. Select desired Extended Field Mappings from the list.
13. Click Create Mapping and enter the field mappings according to which export options you selected. Available fields and suggested field mappings are detailed in sections below.or the export options, enter the following information:
14. Click Test Connector to ensure the connection to the ServiceNow instance is working.
15. Click Create Connector.

Create field mappings for exporting assets

When creating field mappings, the following must be considered:

• Asset ID must be mapped to a ServiceNow field.
• The ServiceNow field name must be mapped if assets are being exported.

These BeyondInsight asset fields are available for export:

• Asset ID
• Asset Name
• Dns Name
• Ip Address
• Operating System
• Workgroup
• SmartGroup Name
• Date Added
• Last Updated
• Literal Value (Enter Literal Value)

Suggested field mappings

Create a Smart Group

Assets exported are defined in the Smart Group. After the Smart Group is created, the data in the rule is processed and exported every hour.

ℹ️

Note

You can change the processing time in the RemManagerSvc.exe.config file.

1. From the Smart Rules page in BeyondInsight, configure a Smart Group as usual.
2. In the Actions area, select Export Data.
3. Select the name of the connector.
4. Select an audit group from the list.
5. Enter the expiration period in days..

ℹ️

Note

Assets(depending on what is defined in the collector details) are only exported once in the defined expiration period. However, an asset may be exported more than once if, for any reason, the item is excluded from the Smart Group but is re-included later. After the expiration period passes, if that asset or vulnerability remains in the Smart Group, it is exported again.

Change the data export processing frequency

You can set the data export processing frequency value in the RemManagerSvc.exe.config file, located in the BeyondInsight installation directory, by changing the referenceTime value.

<!-- Data export processor. This exports Assets and/or Vulnerabilities to external systems such as BMC Remedy. -->
<Process name="DataExportProcessor" assembly="" order="13" active="true" accessType="internal">
<Handlers>
<Handler name="DataExportHandler" handlerType="1" runFrequency="1" frequencyType="h" referenceTime="1:00" namespace="" order="0" active="true"></Handler>
</Handlers>
</Process>

ℹ️

Note

For BeyondInsight version 21.2 and later releases, the data export processor does not export vulnerabilities.

Import the BeyondInsight update set

The update set provides the BeyondInsight modules and menus in your ServiceNow instance. The BeyondInsight update set file you must import into your ServiceNow instance is located in the following installation directory on Windows 2022 appliances:

%Program Files (x86)%\BeyondTrust\BeyondInsight\ServiceNow

ℹ️

Note

For Windows 2016 appliances, the installation directory is %\Program Files(x86)\eEye Digital Security\Retina CS\ServiceNow.

ℹ️

Note

For more information on transferring update sets in ServiceNow, please see Update set transfers.

ServiceNow Ticket System

The process to configure ServiceNow with Password Safe is as follows:

• Create the integration user in ServiceNow. This integration user is used to configure the connector and functional account in the next steps.
• Assign the user the itil role in ServiceNow.
• Create a ServiceNow Ticket System connector in BeyondInsight to your ServiceNow instance.
• Create a functional account and associate that with the ServiceNow connector.
• Add the ServiceNow Ticket System to Password Safe.

ℹ️

Note

For any tickets being verified, you must ensure the Requestor is populated in the Assigned To field in the ServiceNow web portal. The User ID here must match the Password Safe User ID. Tickets must also be associated with a ticket table extending from the Task table.

Create ServiceNow Ticket System connector

Follow these steps to create the connector:

1. In BeyondInsight, go to Configuration > General > Connectors.
2. From the Connectors pane, click Create New Connector.
3. Enter a name for the connector.
4. Select ServiceNow Ticket System from the Connector Type dropdown list.
5. Click Create Connector.
6. Enter the following details for your ServiceNow system:
   • Instance URL: Provide the URL for the ServiceNow environment.
   • Table Name (Optional): If applicable, enter the appropriate table name.
   • User ID Mapping: Select the User ID format used in the ServiceNow instance. This validates users in Password Safe are assigned to the ticket in ServiceNow. The options are:
     • User Name
     • User Principal Name
     • Email Address
   • Username and Password: Provide credentials to be used to authenticate with ServiceNow. The credentials are used only on this configuration page. The user must be a member of a role containing an ACL for the sys_choice table value field with Read access.
   • Ticket Field Mappings: Add field mappings to further validate tickets. You can map against Password Safe checkout start and end date and the system being accessed, as well as literal values, which is useful for validating the tickets state. Username is validated separately.
7. Click Test Connector to ensure connectivity to your ServiceNow server is successful.
8. Click Create Connector.

Create a functional account in Password Safe

Once you have created the connector, follow these steps to create the functional account:

1. From the left sidebar in BeyondInsight, click Configuration.
   The Configuration page displays.
2. Under Privileged Access Management, click Functional Accounts.
   The Functional Accounts page displays.
3. Click + Create New Functional Account.
   The Create New Functional Account form displays in the right panel.
4. Select Ticket System from the Entity Type dropdown.
5. Select ServiceNow from the Platform dropdown.
6. Enter the Username and Password for ServiceNow. The credentials are the same used when entering ticket details in ServiceNow.
7. From the Search Connectors dropdown, select the ServiceNow connector (created using the process above).
8. Enter an Alias and, if required, a Description for the account.
9. Click Create Functional Account.

Create a ServiceNow Ticket System in Password Safe

With the connector and functional account created, follow these steps:

1. From the left sidebar in BeyondInsight, click Configuration.
   The Configuration page displays.
2. Under Privileged Access Management, click Ticket Systems.
   The Ticket Systems page displays.
3. Click Create New Ticket System +.
   The New Ticket System Details form displays in the right panel.
4. Select ServiceNow Ticket System from the Platform dropdown menu.
5. Select the functional account from the dropdown menu (created using the process above).
6. Enter a Name for the system.
7. If desired, enter a Description, Access Policy Certificate Code Name, and Access Policy Code.
8. Enable the options for features you want. Options are:
   • Auto Approve on Ticket Number Validation
   • Enable Emergency Approval Without Ticket Number
   • Make Ticket System the Default
9. Click Create Ticket System when done.

ℹ️

Note

The Access Policy Certificate Common Name and Access Policy Code fields are not used.