Collect ServiceNow Security logs

Supported in:

Overview

This parser extracts security event data from ServiceNow JSON logs, mapping relevant fields to the UDM. It handles various event types like logins and permission changes, populating principal/target user information, IP addresses, and metadata like vendor and product details.

Before you begin

Ensure that you have the following prerequisites:

  • Google SecOps instance.
  • Privileged access to ServiceNow Security.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds
  • Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure a feed, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed; for example, ServiceNow Security Logs.
  5. Select Webhook as the Source type.
  6. Select ServiceNow Security as the Log type.
  7. Click Next.
  8. Optional: Specify values for the following input parameters:
    • Split delimiter: the delimiter that is used to separate log lines, such as \n.
  9. Click Next.
  10. Review the feed configuration in the Finalize screen, and then click Submit.
  11. Click Generate Secret Key to generate a secret key to authenticate this feed.
  12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
  13. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
  14. Click Done.

Set up feeds from the Content Hub

Specify values for the following fields:

  • Split delimiter: the delimiter that is used to separate log lines, such as \n.

Advanced options

  • Feed Name: A prepopulated value that identifies the feed.
  • Source Type: Method used to collect logs into Google SecOps.
  • Asset Namespace: Namespace associated with the feed.

  • Ingestion Labels: Labels applied to all events from this feed.

  • Click Generate Secret Key to generate a secret key to authenticate this feed.

  • Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.

  • From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.

Create an API key for the webhook feed

  1. Go to Google Cloud console > Credentials.

    Go to Credentials

  2. Click Create credentials, and then select API key.

  3. Restrict the API key access to the Google Security Operations API.

Specify the endpoint URL

  1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

  2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

    X-goog-api-key = API_KEY
X-Webhook-Access-Key = SECRET

    Recommendation: Specify the API key as a header instead of specifying it in the URL.

  3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

    ENDPOINT_URL?key=API_KEY&secret=SECRET

    Replace the following:

    • ENDPOINT_URL: the feed endpoint URL.
    • API_KEY: the API key to authenticate to Google SecOps.
    • SECRET: the secret key that you generated to authenticate the feed.

Configure Webhook in ServiceNow

  1. Sign in to ServiceNow Security with privileged account.
  2. Go to Configuration > Monitoring > Connections.
  3. Click add .
  4. Select Webhook.
  5. Specify values for the following parameters:
    • Name: Provide a descriptive name for the webhook (for example, Google SecOps).
    • URL: Enter the Google SecOps ENDPOINT_URL with API_KEY and SECRET.
  6. Click Save to complete the webhook configuration.

UDM Mapping

Log field UDM mapping Logic
created_by target.user.userid Mapped to target.user.userid if snc_user is empty.
event metadata.product_event_type Directly mapped from the raw log field "event".
event_created metadata.event_timestamp.seconds Converted to seconds from the raw log field "event_created" using the date filter.
ip_address principal.ip Directly mapped from the raw log field "ip_address" if not empty.
snc_user target.user.userid Directly mapped from the raw log field "snc_user" if not empty.
user principal.user.userid Directly mapped from the raw log field "user" if not empty or "null".
extensions.auth.type Set to "MACHINE" if the event field is "Failed Login", "SNC Login", "Admin Login", or "Impersonation".
metadata.event_type Set to "USER_LOGIN" if the event field is "Failed Login", "SNC Login", "Admin Login", or "Impersonation". Set to "USER_CHANGE_PERMISSIONS" if the event field is "Security Elevation".
metadata.log_type Hardcoded to "SERVICENOW_SECURITY".
metadata.product_name Hardcoded to "SERVICENOW_SECURITY".
metadata.vendor_name Hardcoded to "SERVICENOW".
principal.user.userid Set to "UNKNOWN" if the user field is empty or "null".

Need more help? Get answers from Community members and Google SecOps professionals.