Amazon Web Services Security Hub Integration to ServiceNow ITSM via Event Management

Grant Hulbert · ‎06-21-2019

Summary

On June 25, 2019, Amazon Web Services announced the general availability of AWS Security Hub, a solution that provides visibility into high-priority security vulnerabilities and threats that could impact users’ AWS environments and compliance status. AWS Security Hub is a central repository of security alerts, or findings, that are aggregated and prioritized so that security professionals can identify issues and quickly take action.

The integration with ServiceNow provides AWS Security Hub customers with an option to push security findings into ServiceNow Security Operations as well as ServiceNow IT Service Management ticketing systems. More information on the Security Operations integration can be found here. Note that this posting is specific to the ITSM integration – users are welcome to use these instructions, but please note the ITSM integration is not an official ServiceNow-supported solution at this time.

Introduction

Security remains a critical issue for users across both on-premises data centers and cloud environments. As the world’s largest public cloud provider, AWS has developed several security solutions, such as AWS Inspector for vulnerability scanning, AWS GuardDuty for network intrusion detection, and AWS Macie for anomaly detection, to help protect users. AWS has also partnered with dozens of independent, best-of-breed security companies to provide visibility into AWS Security Hub was launched to help reduce the time and effort needed to collect, correlate, and prioritize security findings across multiple AWS and partner tools. Security findings are formatted in a common data model, and results can be displayed and discovered from a single console.

The integration of AWS Security Hub with ServiceNow helps users take relevant action on security findings. The integration with ITSM gives users to ability to automatically open incident tickets for high priority issues. The integration with SecOps adds even more functionality by correlating and prioritizing findings based on their impact to compliance status as well as impact to the business.

Configure ServiceNow and AWS Security Hub

AWS Security Hub uses CloudWatch to “push” findings gathered in the previous hour to ServiceNow every 15 minutes (scheduled forwards). Findings will also be pushed if manually triggered from Security Hub (manual forwards). Both methods trigger a Lambda function which posts findings from Security Hub to ServiceNow via REST.

Note: your instance must have Event Management activated for this integration to work

Deploy CloudFormation Template on AWS

Download the files you will need from here. This zip file contains the CloudFormation template and Lambda function you will need to complete this exercise
Log in to AWS Console
Find and open CloudFormation service, click [Create Stack], then on the next page click [Upload a
template file]. Upload SecurityHubSupportingFiles/cloudformation-template.json
Click [Next] and enter the following parameters
1. Stack name: ServiceNowITSM-SecurityHub
2. Endpoint: https://<your instance name>.service-now.com/api/now/table/em_event
3. Integration Username: username of your instance's REST integration user. Note: this user must have the role evt_mgmt_integration
4. Integration Password: password of your instance's REST integration user
5. SecurityHub Region: same region as your AWS Console (e.g. us-west-2)
Click [Next]
On the next page "Configure stack options", click [Next]
On the "Review ServiceNowITSM-SecurityHub" page, confirm your endpoint and username/password, tick the [x] I acknowledge that AWS CloudFormation might create IAM resources checkbox, then click [Create stack]
Wait a few minutes for the stack to finish building...CREATE_IN_PROGRESS will become CREATE_COMPLETE

Upload Lambda zip file

Click "Resources" tab, then click SecurityHubToServiceNow link on the AWS::Lambda::Function row
Scroll down to "Code entry type" combo box and change it to "Upload a .zip file"
Upload SecurityHubToITSMServiceNow.zip and click [Save]

Create a custom action in SecurityHub

Go back to AWS Console, find "Security Hub", open it, and click 'Settings' link on the left-hand navigation
Click 'Custom actions' tab and click [Create custom action]
1. Action name: ServiceNow ITSM
2. Description: Sends any security-related events to ServiceNow Event Management
3. Custom action ID: forwardToSN
Click [Create custom action]

Congratulations! You have completed the AWS side of the configuration. Now let's test it to confirm that events are being sent from AWS Security Hub to your ServiceNow instance.

Test example events with GuardDuty

Go back to AWS Console, find "GuardDuty", open it, and click 'Settings' link on the left-hand navigation
Scroll down to "Sample findings" section, and click [Generate sample findings]
It will take several minutes for the example events to move through the system
Go back to AWS Console, find "Security Hub", open it, and click 'Findings' link on the left-hand navigation
Select the checkbox on one of the findings, and choose "ServiceNow ITSM" from the [Actions] combobox. This will manually send the event to ServiceNow, so you don't have to wait an hour for the automatic connection
Confirm the event has been sent to ServiceNow: open https://<your_servicenow_instance>.service-now.com/em_event_list.do and notice the Security Hub event appears in the list

Congratulations! You have successfully sent an AWS Security Hub event from AWS to ServiceNow.

Supporting files may be downloaded here https://servicenow-my.sharepoint.com/:u:/p/grant_hulbert/Eby-jqjoi8tDsXuXuBuf3sEBEF7fiCjjsEqSTw5dzeu...

amit-chauhan · ‎02-14-2024

Link to CFN template and the zip files is broken. Could you update the correct link to those files?

Also where do we see these GuardDuty Findings in ServiceNow?

ServiceNow Community servicenow community