- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo Video
How Security Incident Response (SIR) differ from Incident Management:
- SIR simplifies identification of critical incidents and provides workflow and automation tools to speed up remediation.
- With SIR, teams can create customized workflows based on your organization’s own security runbook to ensure company best practices are followed.
- With SIR, It’s Easier to view and track response tasks that run in parallel. The system will remind assignees if their tasks aren’t completed on-time per Service Level Agreement (SLA) thresholds, or it can escalate tasks if necessary.
- SIR will speed up response and allow your security team to spend more time hunting complex threats by automating basic tasks, including approval requests, malware scans, or the retrieval of running processes.
- SIR has a security knowledge base (KB) which adds additional information, and relevant KB articles are automatically associated with incidents for reference.
- With SIR, all activities in an incident lifecycle, from analysis and investigation to containment and remediation, are tracked in the platform. Once an incident is closed, assessments are distributed across the team and a time-stamped post-incident review is automatically created as a historical audit record.
In the attached documents you will find the templates for the ServiceNow integration in txt format. The templates are provided “as-is” and should be tested in your lab environment and modified as needed before implementing them into production.
The templates require extensible attributes described in the table below. It is recommended to inherit attributes with the default values from the network view level.
Extensible Attributes |
Description |
ServiceNow_LastIncidentSentAt |
Provides the last time an asset sent an incident to ServiceNow. |
ServiceNow_Add_Incident |
True or False. Defines if an object should create an incident on ServiceNow. |
ServiceNow_Event_ID |
Provides the Incident number of the last Incident sent to ServiceNow. |
ServiceNow_Location |
Custom field. Determines the location field for the ServiceNow table upon creation. |
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
I'm curious if anyone has had luck deploying the SNOW > Infoblox integration?
I've had zero luck even getting a response from infoblox.
I get this error no matter what I use as an endpoint:
The request failed: javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name
I've essentially thrown in the towel and stuck with python scripts for now.
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Hello tibby50,
I got the SNOW > Infoblox integraiton to work just fine. Do you have the ServiceNow mid server installed? I havn't seen your error before.
Thank you,
Kevin Zettel
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
I’m just tying to use a basic Get.
Without mid-server I get: unknown server
If I remember correctly.
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Hello tibby50,
Okay good, then also are you sure that the instance that you have the mid server installed on, regardless if thats windows or linux, has access to the Infoblox appliance. you can try pinging the infoblox appliance from the mid server instance that its downloaded on. if you get a return then this is good.
Also are you using the Infoblox DDI activity pack or are you creating this activity workflow from scratch with a custom rest API GET activity.
Thank you,
Kevin Zettel
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
I’ve tried both the activity pack, and a new server connection with a Get method.
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
I’m using the “test” button on the get method currently. Using a url as the endpoint. A url that I get returns from with a browser
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Hello tibby50,
There could be something configured incorrectly on the activity could you post an image of the Inputs, pre processing, execution command, outputs, and conditions with all sensitive information blacked out. if you can't then my suggestion is to open a ticket with ServiceNow or Infoblox and one of us should get back to you quickly.
Thank you,
Kevin Zettel
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
[ Edited ]I'm testing directly from the get method (I'll attach images).
Perhaps thats my problem!
infoblox_GET.png > shows the config I'm testing (top part of the screen)
infoblox_GET2.png > shows the bottom part of the config screen (couldn't get it all in one shot). Also circled the Test button I'm using.
infoblox_GET2_test.png > shows the error I get after using the Test.
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
Hello,
Sorry for the late reply, I never got an update that you made anymore comments. from the images that I'm seeing here I don't see any inputs and it seems you are using a differnt option then what I know about. I would suggest asking for ServiceNow support to help. If this isn't and option then I would suggest using the workflow editor as it makes this a lot easier!
Hope this helps,
Kevin Zettel
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
tibby,
Did you find a solution to the javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name error? I'm running into the same error.
Thanks,
Justin
Re: Infoblox
We are about to upgrade to London. I’m hoping that will miraculously work.
For now I’m using python to automate my process.
Re: Infoblox
We actually only started seeing this error after upgrading to London. Hope you get a different result!
Thanks for the quick response.
Re: Infoblox
tibby,
I was able to resolve my issue by adding the following line to the wrapper-override.conf file on the MID Server.
wrapper.java.additional.3=-Djsse.enableSNIExtension=false
Re: Infoblox
@abbottj wrote:
tibby,
I was able to resolve my issue by adding the following line to the wrapper-override.conf file on the MID Server.
wrapper.java.additional.3=-Djsse.enableSNIExtension=false
Thanks for the update!
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
06-10-2023 07:00 AM
Hello Everyone, I am new to this group. In my environment we are trying to get an ip address from infoblox using servicenow. I am getting an error.
In my UAT environment. I am getting this error -
Error retrieving IP Address from InfoBlox: View default not found
Also, If someone can provide step by step on how to setup integration with servicenow and infoblox, i would really appericate.
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
[ Edited ]Are trying to use the Infoblox's SNOW application or DDI Activity pack?
Per error description looks like you don't have "Default" network view,
Re: Infoblox & ServiceNow Security Incident Integration Templates, Deployment Guide & Demo V
06-16-2023 06:37 AM
Are trying to use the Infoblox's SNOW application or DDI Activity pack?
I am using snow application and we have do some configuration to connect to infoblox to get ip address.
I am trying get ip address from infoblox using snow. snow app will connect to infoblox and get the ip or resevered the ip for the server to be built.
Per error description looks like you don't have "Default" network view, - Correct
This is the script
var connection = fd_data._2__for_each.item.u_infoblox_connection.sys_id;
var name = fd_data._2__for_each.item.u_infoblox_connection.name.toString().toLowerCase();
if(connection=='72e79b9edb64241086fcd1c2ca961930' || name.contains("gvl") || name.contains("greenville")){
return true;
}
else{
// default: dont configure for DNS
return false;
}