In this post I will go through how you can integrate and send policy alert notifications from Red Hat Advanced Cluster Security for Kubernetes (RHACS) to ServiceNow.
Red Hat Advanced Cluster Security supports a number of specific notifier integrations today, including Slack, Jira, Splunk, syslog and email. Although ServiceNow is not currently in that list, it is possible to use generic webhooks to create this integration. Using this option together with the ServiceNow feature Scripted REST API will allow you to send security alert notifications also to ServiceNow.
This guide will demonstrate the following:
-
In ServiceNow: How to configure and prepare a Scripted REST API service as a webhook receiver
-
In Red Hat Advanced Cluster Security: How to configure a notifier integration to use the ServiceNow Scripted REST API
Let’s have a look at how to create this integration!
Prerequisites
There are a few things that need to be in place before you start:
-
Access to a Red Hat OpenShift cluster (version 4.8+)
-
Red Hat Advanced Cluster Security for Kubernetes installed
-
Access to a ServiceNow instance with permissions to create a Scripted REST API service
This guide will not cover the installation of Red Hat OpenShift or Red Hat Advanced Cluster Security. You can get your OpenShift cluster at try.openshift.com and explore the documentation for more information.
ServiceNow REST API configuration
With Red Hat OpenShift and Red Hat Advanced Cluster Security installed, let’s start with configuring a REST API Service to use in ServiceNow.
Logged into ServiceNow, navigate to Scripted REST APIs under System Web Services -> Scripted Web Services and click New.
Add a Name, an API ID and click Submit to create the service.
Figure 1: New Scripted REST Service in ServiceNow
With the REST service created, it’s time to configure the REST resource for alerts by adding a script to handle the REST API request and response.
To demonstrate the integration, this example uses a simplified script that takes the request, does some simple parsing and logs the alert information in ServiceNow.
This script can later be extended to handle actions on the different ServiceNow records you need using the standard ServiceNow API.
Locate the newly created service (rhacs from the example above) from the list of services presented, then under Resources click New.
Configure the resource with the following information as an example:
Name: alert
HTTP method: POST
Script:
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) { var data = JSON.parse(request.body.dataString); var deployment = data.alert.deployment; var policy_name = data.alert.policy.name; // Create example incident record var incident = new GlideRecord('incident'); incident.initialize(); incident.short_description = 'Automated incident created from Advanced Cluster Security'; incident.description = "Deployment '" + deployment.name + "' in namespace '" + deployment.namespace + "' violated policy ''" + policy_name + "'"; incident.insert(); // Log data from policy violation gs.info("Deployment '" + deployment.name + "' in namespace '" + deployment.namespace + "' violated policy ''" + policy_name + "'"); // Log complete object for debug gs.info(JSON.stringify(data)); })(request, response);
Note: To create an authenticated endpoint, make sure Requires Authentication and Requires ACL authorization are selected.
Figure 2: New Scripted REST Resource in ServiceNow
With the alert resource created, take a note of the Resource path (i.e. /api/xx/rhacs) and the ServiceNow instance name for the next step.
Figure 3: Resource API definition in ServiceNow
With this step done you now have a REST API endpoint available in ServiceNow to use in Red Hat Advanced Cluster Security. This endpoint will be used in the next step, when configuring a Notifier integration in Red Hat Advanced Cluster Security.
Create notifier integration in Red Hat Advanced Cluster Security
With a REST API endpoint configured in ServiceNow, it’s time to create a Generic Webhook notifier integration in Red Hat Advanced Cluster Security.
Navigate to the Integrations page: Platform Configuration -> Integrations
In the Notifier integrations section, select the Generic Webhook option and configure the endpoint using the ServiceNow instance and the REST API resource path from the previous step.
Integration name: ServiceNow
Endpoint: https://<servicenow-instance>/api/<rest-api-resource-path>
Figure 4: Generic Webhook integration in Red Hat Advanced Cluster Security
See Red Hat Advanced Cluster Security documentation for more information on generic Webhook integrations.
When configuring the Generic Webhook you can also add authentication details for ServiceNow. Add username and password if using basic auth or add additional headers with an access token if using an OAuth Client in ServiceNow. It's also possible to add extra fields to be included in the JSON payload sent from Red Hat Advanced Cluster Security.
Example:
Figure 5: Authentication configuration for Webhook
See ServiceNow product documentation for further information on how to set up OAuth.
Attach notifier to policies
With the notifier integration created in Red Hat Advanced Cluster Security, the next step is to attach the notifier to the policies of your choice.
Navigate to Platform Configuration -> Policy Management in Red Hat Advanced Cluster Security
-
Select the policy to update
-
Select Action -> Edit Policy
-
Check the ServiceNow integration under Attach notifiers
-
If no other changes to the policy are needed, simply Next-Next-Next-Save
-
Figure 6: Attach notifier to policy
With the policy updated it is now configured so that whenever a policy is violated an alert is triggered and sent to the notifier.
Before validating the integration and the alert in ServiceNow, verify that the policy selected actually has been violated and that the policy status is set to FAIL
.
Figure 7: Policy status in Red Hat Advanced Cluster Security
Verify integration in ServiceNow
When a policy in Red Hat Advanced Cluster Security configured with the notifier integration has been violated, an alert should have been triggered and sent to ServiceNow using the configured Scripted REST API endpoint.
Remember the example script from above? It included examples to create incident records, print deployment information and to send the body of the request to the ServiceNow Log.
With the integration working as expected, you would now see automatic incidents being created and the JSON data from the webhook when searching the log. The data will include a v1.Alert
object and include any custom fields configured.
Figure 8: ServiceNow incidents created with Red Hat Advanced Cluster Security alert data
Figure 9: Red Hat Advanced Cluster Security alert data in ServiceNow log
There you go! Red Hat Advanced Cluster Security alert data ready for use with your different ServiceNow records!
Summary
In this post we looked at integrating Red Hat Advanced Cluster Security with ServiceNow. We configured policies in Red Hat Advanced Cluster Security to forward alerts to ServiceNow whenever the policies are violated.
This enables a flexible way to get the security findings surfaced by Red Hat Advanced Cluster Security into your existing processes. With the example policy used in this guide, a CMDB or Problem record could be updated with all vulnerabilities found, but other policies in Red Hat Advanced Cluster Security would also enable additional flows to increase the security posture of the environment.
Red Hat Advanced Cluster Security ability to analyze runtime activity would for example make it possible to automatically create an incident record whenever an anomalous activity is detected. Policies in Red Hat Advanced Cluster Security and the ServiceNow Scripted REST API service can easily be customized to fit your requirements.
To learn more, check out Scripted REST API examples from ServiceNow and the guide on how to manage security policies with Red Hat Advanced Cluster Security.
저자 소개
Johan Wennerberg is a Solution Architect working with Enterprise Accounts at Red Hat, with a focus on OpenShift, Kubernetes, Linux and automation. Previously a Senior Consultant at Red Hat.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.