How to create a two-method integration between AWS Security ServiceNow and Hub

If you are using both AWS Security Hub and ServiceNow, the brand new AWS Service Management Connector for ServiceNow integration allows you to provision, manage, and operate your AWS resources through ServiceNow natively. In this website post, I’ll demonstrate how to create the new two-method integration of Protection Hub and ServiceNow utilizing the AWS Service Administration Connector for ServiceNow. As a ServiceNow administrator, with this particular integration it is possible to automatically create ServiceNow issue or incident tickets from AWS Security Hub results, so when you update those tickets in ServiceNow, the changes are replicated back to the initial Security Hub findings automatically. For example, if you resolve the ticket in ServiceNow, the workflow status of the finding in Safety Hub will undoubtedly be resolved also.


To perform this walkthrough, you shall require a ServiceNow instance available, with the connector configured. To find out more on how to place this up, observe AWS Service Administration Connector for ServiceNow in the AWS Provider Catalog Administrator Tutorial.

On the AWS side, you will need AWS Security Hub allowed in your AWS account. To learn more, notice Enabling Protection Hub manually in the AWS Safety Hub User Information.

An &lt can be used by this walkthrough;a href=”https://aws.amazon.com/cloudformation/” focus on=”_blank” rel=”noopener noreferrer”>AWS CloudFormation template to generate the required AWS resources because of this integration. In this illustration, The AWS can be used by me Area us-east-1, but you may use the supported Areas for Protection Hub.

To download and work the CloudFormation template

  1. Download the sample template provided because of this walkthrough.
  2. Open up the AWS CloudFormation console, select Create stack, select With new assets (standard), and choose Template is set. In Specify template, select Upload a template document and utilize the template downloaded in step one 1.

To generate the CloudFormation stack

  1. In the CloudFormation console, choose Specify stack points, and enter a Stack title (in the instance, I called mine SecurityHub-ServiceNow-Integration). Leave another default ideals as shown in Shape 1, choose &lt then;strong>Next.
    Figure 1: Developing a CloudFormation stack

    Figure 1: Developing a CloudFormation stack

  2. On the Configure stack choices page, select Next.
  3. On the Evaluation page, choose the check package We acknowledge that AWS CloudFormation may create IAM sources with custom names, mainly because shown in Body 2. (Optional) If you want more information concerning this acknowledgement, select Learn even more.
  4. Choose Create stack.
    Figure 2: Acknowledge development of IAM assets

    Figure 2: Acknowledge development of IAM sources

  5. Once you start to see the CloudFormation stack as CREATE_COMPLETE, you can view the set of resources which are created, as demonstrated in Determine 3.
    Figure 3: Resources produced from CloudFormation template

    Figure 3: Resources produced from CloudFormation template

Next, you shall integrate ServiceNow with Security Hub.

To integrate ServiceNow with Safety Hub

  1. In the ServiceNow instance, head to AWS Support Management Connector, select Set up, select AWS Accounts, after that select New.
  2. In the Add an AWS accounts&lt servicenow;/strong> page simply because shown in Figure 4, make certain the check container Integrate along with AWS Security Hub is chosen, then select Submit.

    Figure 4: ServiceNow include an AWS account web page

    Figure 4: ServiceNow add a good AWS account web page

  3. In the SecurityHub-ServiceNow-Integration CloudFormation stack that you formerly created, start to see the Outputs area to get the ideals for SCSyncUserAccesKey, SCSyncUserSecretAccesKey, SCEndUserAccessKey, and SCEndUserSecretAccessKey, mainly because shown in Figure 5.
    Number 5: CloudFormation Outputs details

    Figure 5: CloudFormation Outputs information

    Take note: Because that is an illustration walkthrough, The access is showed by me key and key key generated as CloudFormation outputs. However, if the AWS has been utilized by you Service Administration Connector for ServiceNow in a production workload, discover How do you create an AWS gain access to key? to comprehend the connectivity and create the entry key and secret essential for the customers.

  4. In ServiceNow, enter all of the values from the CloudFormation Outputs, and pick the Area you used to start your CloudFormation resources. THE SPOT was chosen by me People East (N. Virginia), because I released my CloudFormation resources because of this walkthrough in us-east-1.
  5. Choose Submit. You need to see the developed account page, as proven in Amount 6.
    Figure 6: Create accounts from ServiceNow

    Figure 6: Create accounts from ServiceNow

The connector is preconfigured to generate ServiceNow incidents for Protection Hub findings automatically. The findings could have the same details in both AWS Safety Hub console along with ServiceNow console.

To check the integration

  1. In the AWS Protection Hub console, select Results on the AWS console. The findings will undoubtedly be populated and you will use among the findings to check the two-way integration. Because of this example, I take advantage of a discovering that reports among my AWS accounts IAM customers with credentials unused for 3 months or more, as demonstrated in Physique 7.

    Shape 7: Security Hub selecting

    Figure 7: Security Hub locating

  2. In the view from ServiceNow, searching for Security Hub and start to see the same finding, as proven in Body 8.
    Amount 8: Security Hub obtaining in ServiceNow

    Figure 8: Security Hub finding inside ServiceNow

  3. To start to see the incident watch in ServiceNow, close to the Incident field, pick the Details icon (Information icon) simply because shown in Figure 8, after that choose Open up report.
  4. The urgency in ServiceNow is mapped to the severe nature in Safety Hub findings. As demonstrated in Number 9, the Urgency is defined to 2 – Moderate. This placing corresponds to the AWS console Protection Hub getting Severity label established to Moderate, as shown in Figure 7 formerly.
    Figure 9: Incident see in ServiceNow

    Figure 9: Incident view inside ServiceNow

  5. It is possible to set the Urgency as applicable to the finding and its own impact. In this walkthrough, you are likely to set it as 1-Large.
  6. In ServiceNow, modification the Urgency to 1 – Higher. In this example, I include optional work notes also, as shown in Shape 10. The ongoing work notes is only going to be visible in ServiceNow. Choose &lt then;strong>Upgrade.
    Determine 10: Updated incident urgency inside ServiceNow

    Figure 10: Updated incident urgency inside ServiceNow

  7. In the Security Hub console, you can observe the finding’s Severity label is up-to-date to Great, mainly because shown in Figure 11. However, the ongoing work notes aren’t visible.
    Number 11: Security Hub severity up-to-date

    Figure 11: Safety Hub severity updated

  8. To solve the problem in ServiceNow, pick the incident, and for Resolution program code go for Solved (Permanently), as shown in Body 12.
    Shape 12: Resolve the incident inside ServiceNow

    Figure 12: Resolve the incident inside ServiceNow

  9. In the Security Hub console for the associated finding, you can view that the Workflow standing has up-to-date to RESOLVED, simply because shown in Figure 13.
    Body 13: Security Hub resolving the workflow

    Figure 13: Protection Hub resolving the workflow

As a ServiceNow administrator, it is possible to edit the system attributes in ServiceNow to choose the severe nature of AWS Safety Hub findings which are used to generate ServiceNow incidents.

To choose the severe nature of findings used to generate incidents

  1. In ServiceNow, in the AWS Security Hub system properties, choose the check boxes for the severities you need to create incidents for, as proven in Figure 14.
    Amount 14: System qualities for Security Hub inside ServiceNow

    Figure 14: System properties for Protection Hub inside ServiceNow

  2. In the ServiceNow page for AWS Security Hub system attributes, you might also need the option to choose the recommended plan of action to be studied when new Security Hub results are synced. As demonstrated in the last steps, the default would be to create an incident, nevertheless, you can choose to develop a problem also, or create both incident and problem, or do nothing at all.

Bottom line

In this website post, I demonstrated you how exactly to setup the brand new two-way integration of AWS Security Hub and ServiceNow utilizing the AWS Services Management Connector for ServiceNow.

For more information around ServiceNow’s integration with Safety Hub, watch the movie AWS Protection Hub – Bidirectional integration with ServiceNow ITSM, and find AWS Service Administration Connector for ServiceNow in the AWS Assistance Catalog Administrator Manual.

To download the free of charge AWS Service Administration Connector for ServiceNow, start to see the ServiceNow App Shop. When you have additional questions, please write-up them to AWS Community forums.

Should you have feedback concerning this post, submit remarks in the Remarks area below.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.


%d bloggers like this: