Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo Video
Moderator
Posts: 58
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 57

How Security Incident Response (SIR) differ from Incident Management:

 

  1. SIR simplifies identification of critical incidents and provides workflow and automation tools to speed up remediation.
  2. With SIR, teams can create customized workflows based on your organization’s own security runbook to ensure company best practices are followed.
  3. With SIR, It’s Easier to view and track response tasks that run in parallel. The system will remind assignees if their tasks aren’t completed on-time per Service Level Agreement (SLA) thresholds, or it can escalate tasks if necessary.
  4. SIR will speed up response and allow your security team to spend more time hunting complex threats by automating basic tasks, including approval requests, malware scans, or the retrieval of running processes.
  5. SIR has a security knowledge base (KB) which adds additional information, and relevant KB articles are automatically associated with incidents for reference.
  6. With SIR, all activities in an incident lifecycle, from analysis and investigation to containment and remediation, are tracked in the platform. Once an incident is closed, assessments are distributed across the team and a time-stamped post-incident review is automatically created as a historical audit record.

 

 

 

 

In the attached documents you will find the templates for the ServiceNow integration in txt format. The templates are provided “as-is” and should be tested in your lab environment and modified as needed before implementing them into production.

 

The templates require extensible attributes described in the table below. It is recommended to inherit attributes with the default values from the network view level.

 

Extensible Attributes

Description

ServiceNow_LastIncidentSentAt

Provides the last time an asset sent an incident to ServiceNow.

ServiceNow_Add_Incident

True or False. Defines if an object should create an incident on ServiceNow.

ServiceNow_Event_ID

Provides the Incident number of the last Incident sent to ServiceNow.

ServiceNow_Location

Custom field. Determines the location field for the ServiceNow table upon creation.

 

 

Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Techie
Posts: 8
Registered: ‎06-10-2018
tibby50
Techie
Posts: 8

I'm curious if anyone has had luck deploying the SNOW > Infoblox integration?

I've had zero luck even getting a response from infoblox.

I get this error no matter what I use as an endpoint:

The request failed: javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name

 

I've essentially thrown in the towel and stuck with python scripts for now. 

Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Moderator
Posts: 58
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 57

Hello tibby50,

 

I got the SNOW > Infoblox integraiton to work just fine. Do you have the ServiceNow mid server installed? I havn't seen your error before.

 

Thank you,

Kevin Zettel

Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Techie
Posts: 8
Registered: ‎06-10-2018
tibby50
Techie
Posts: 8
Yes Kevin, I’m using Mid-server.
I’m just tying to use a basic Get.
Without mid-server I get: unknown server
If I remember correctly.
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Moderator
Posts: 58
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 57

Hello tibby50,

 

Okay good, then also are you sure that the instance that you have the mid server installed on, regardless if thats windows or linux, has access to the Infoblox appliance. you can try pinging the infoblox appliance from the mid server instance that its downloaded on. if you get a return then this is good.

 

Also are you using the Infoblox DDI activity pack or are you creating this activity workflow from scratch with a custom rest API GET activity.

 

Thank you,

Kevin Zettel

Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Techie
Posts: 8
Registered: ‎06-10-2018
tibby50
Techie
Posts: 8
I’ll test the mid-server. Thank you!
I’ve tried both the activity pack, and a new server connection with a Get method.
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Techie
Posts: 8
Registered: ‎06-10-2018
tibby50
Techie
Posts: 8
The dev midserver is able to ping.
I’m using the “test” button on the get method currently. Using a url as the endpoint. A url that I get returns from with a browser
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Moderator
Posts: 58
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 57

Hello tibby50,

 

There could be something configured incorrectly on the activity could you post an image of the Inputs, pre processing, execution command, outputs, and conditions with all sensitive information blacked out. if you can't then my suggestion is to open a ticket with ServiceNow or Infoblox and one of us should get back to you quickly.

 

Thank you,

Kevin Zettel

Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
[ Edited ]
Techie
Posts: 8
Registered: ‎06-10-2018
tibby50
Techie
Posts: 8

I'm testing directly from the get method (I'll attach images). 

Perhaps thats my problem! 

infoblox_GET.png > shows the config I'm testing (top part of the screen)

infoblox_GET2.png > shows the bottom part of the config screen (couldn't get it all in one shot). Also circled the Test button I'm using.

infoblox_GET2_test.png > shows the error I get after using the Test.

Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Moderator
Posts: 58
Registered: ‎06-21-2017
Moderator kzettel
Moderator
Posts: 57

Hello,

 

Sorry for the late reply, I never got an update that you made anymore comments. from the images that I'm seeing here I don't see any inputs and it seems you are using a differnt option then what I know about. I would suggest asking for ServiceNow support to help. If this isn't and option then I would suggest using the workflow editor as it makes this a lot easier!

 

Hope this helps,

Kevin Zettel

Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Member
Posts: 3
Registered: ‎11-19-2018
abbottj
Member
Posts: 3

tibby,

 

Did you find a solution to the javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name error? I'm running into the same error.

 

Thanks,

 

Justin

Re: Infoblox
Techie
Posts: 8
Registered: ‎06-10-2018
tibby50
Techie
Posts: 8
No, Justin.
We are about to upgrade to London. I’m hoping that will miraculously work.
For now I’m using python to automate my process.
Re: Infoblox
Member
Posts: 3
Registered: ‎11-19-2018
abbottj
Member
Posts: 3

We actually only started seeing this error after upgrading to London. Hope you get a different result!

 

Thanks for the quick response.

Re: Infoblox
Member
Posts: 3
Registered: ‎11-19-2018
abbottj
Member
Posts: 3

tibby,

 

I was able to resolve my issue by adding the following line to the wrapper-override.conf file on the MID Server.

 

wrapper.java.additional.3=-Djsse.enableSNIExtension=false

Highlighted
Re: Infoblox
Adviser
Posts: 143
Registered: ‎09-09-2015
Adviser
Posts: 128

@abbottj wrote:

tibby,

 

I was able to resolve my issue by adding the following line to the wrapper-override.conf file on the MID Server.

 

wrapper.java.additional.3=-Djsse.enableSNIExtension=false


Thanks for the update!

Showing results for 
Search instead for 
Do you mean