cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee SIEM and ServiceNow Integration

Hi,

Please let me know the possibility of McAfee SIEM and ServiceNow integration- Would like to have tickets created by ServiceNow automatically, for alerts in McAfee SIEM.

Thanks,

0 Kudos
5 Replies
exbrit
Level 21

Re: McAfee SIEM and ServiceNow Integration

Moved to SIEM for better handling

---

Peter

Moderator

0 Kudos
syed_rizvi
Level 10

Re: McAfee SIEM and ServiceNow Integration

I haven't done it myself, but others have done it successfully following the information below.

Automatically create an incident through email for a custom application.

https://community.servicenow.com/thread/171752

Create Incident from Email

https://community.servicenow.com/thread/186200

Home > Administer > Service Administration > Notifications > Inbound Email Actions

http://wiki.servicenow.com/?title=Inbound_Email_Actions#gsc.tab=0

hope this helps.

Thanks,

Syed Rizvi

0 Kudos
itgfcsys
Level 9

Re: McAfee SIEM and ServiceNow Integration

We have also use the Service Now API via a "utility server. The SNOW API is very well documented and uses REST/JSON. We had on the road map to also pull past ticket related to host in current ticket.

Rick

0 Kudos
rth67
Level 12

Re: McAfee SIEM and ServiceNow Integration

We have it setup via email, we just have to get a unique code from the Service-Now admins for each alarm we intend to send, this code which is placed in the body of the message (at the top) which lets Service-Now know which field mappings and Incident type to create. We work with the Service-Now admins to map the fields we intend to include in the message (providing sample messages), and then figure out where those would map to in Service-Now.

0 Kudos
rth67
Level 12

Re: McAfee SIEM and ServiceNow Integration

We are trying to expand the usage of Service Now to create Incidents in our new Security Operations Management module with multiple lines of text in the description.  To do so our instance of Service-Now is setup to use [$$ and $$] between any text you want to be added to the "Description" if using multiple lines of data.

However the inserted alarm fields already use [$ and ] to enclose specific field data, and thus we are having issues. Working with Service-Now admins to change to ($$ and $$)

Using an escape character of \ does not seem to work, in other words: \[$$ or \[\$\$

Description

  • Single line of text or multiple lines wrapped in tokens Description: [$$ description text $$].
  • Multi-line:
    • The line must begin with "description: [$$" (case insensitive)
    • The description must be ended with the token "$$]"
    • Example:

Description: [$$ I cannot login to Oracle.

I’m getting a 404 error on the login page.

I suspect the DNS server is down.

$$]

  • Single-line - use the simple body code:
    • Example:

  description:  I cannot login to Oracle.

0 Kudos