Collect ServiceNow Security logs

Supported in:

Overview

This parser extracts security event data from ServiceNow JSON logs, mapping relevant fields to the UDM. It handles various event types like logins and permission changes, populating principal/target user information, IP addresses, and metadata like vendor and product details.

Before you begin

  • Ensure that you have a Google SecOps instance.
  • Ensure that you have privileged access to ServiceNow Security.

Configure a feed in Google SecOps to ingest the ServiceNow Security logs

  1. Go to SIEM Settings > Feeds.
  2. Click Add new.
  3. In the Feed name field, enter a name for the feed (for example, ServiceNow Security Logs).
  4. Select Webhook as the Source type.
  5. Select ServiceNow Security as the Log type.
  6. Click Next.
  7. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
    • Asset namespace: the asset namespace.
    • Ingestion labels: the label applied to the events from this feed.
  8. Click Next.
  9. Review the feed configuration in the Finalize screen, and then click Submit.
  10. Click Generate Secret Key to generate a secret key to authenticate this feed.
  11. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  12. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
  13. Click Done.

Create an API key for the webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET

    Recommendation: Specify the API key as a header instead of specifying it in the URL.

  3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

    ENDPOINT_URL?key=API_KEY&secret=SECRET

    Replace the following:

    • ENDPOINT_URL: the feed endpoint URL.
    • API_KEY: the API key to authenticate to Google SecOps.
    • SECRET: the secret key that you generated to authenticate the feed.

Configure Webhook in ServiceNow

  1. Sign in to ServiceNow Security with privileged account.
  2. Go to Configuration > Monitoring > Connections.
  3. Click add .
  4. Select Webhook.
  5. Specify values for the following parameters:
    • Name: Provide a descriptive name for the webhook (for example, Google SecOps).
    • URL: Enter the Google SecOps ENDPOINT_URL with API_KEY and SECRET.
  6. Click Save to complete the webhook configuration.

UDM Mapping

Log field UDM mapping Logic
created_by target.user.userid Mapped to target.user.userid if snc_user is empty.
event metadata.product_event_type Directly mapped from the raw log field "event".
event_created metadata.event_timestamp.seconds Converted to seconds from the raw log field "event_created" using the date filter.
ip_address principal.ip Directly mapped from the raw log field "ip_address" if not empty.
snc_user target.user.userid Directly mapped from the raw log field "snc_user" if not empty.
user principal.user.userid Directly mapped from the raw log field "user" if not empty or "null".
extensions.auth.type Set to "MACHINE" if the event field is "Failed Login", "SNC Login", "Admin Login", or "Impersonation".
metadata.event_type Set to "USER_LOGIN" if the event field is "Failed Login", "SNC Login", "Admin Login", or "Impersonation". Set to "USER_CHANGE_PERMISSIONS" if the event field is "Security Elevation".
metadata.log_type Hardcoded to "SERVICENOW_SECURITY".
metadata.product_name Hardcoded to "SERVICENOW_SECURITY".
metadata.vendor_name Hardcoded to "SERVICENOW".
principal.user.userid Set to "UNKNOWN" if the user field is empty or "null".