In this post I will go through how you can integrate and send policy alert notifications from Red Hat Advanced Cluster Security for Kubernetes (RHACS) to ServiceNow.
Red Hat Advanced Cluster Security supports a number of specific notifier integrations today, including Slack, Jira, Splunk, syslog and email. Although ServiceNow is not currently in that list, it is possible to use generic webhooks to create this integration. Using this option together with the ServiceNow feature Scripted REST API will allow you to send security alert notifications also to ServiceNow.
This guide will demonstrate the following:
-
In ServiceNow: How to configure and prepare a Scripted REST API service as a webhook receiver
-
In Red Hat Advanced Cluster Security: How to configure a notifier integration to use the ServiceNow Scripted REST API
Let’s have a look at how to create this integration!
Prerequisites
There are a few things that need to be in place before you start:
-
Access to a Red Hat OpenShift cluster (version 4.8+)
-
Red Hat Advanced Cluster Security for Kubernetes installed
-
Access to a ServiceNow instance with permissions to create a Scripted REST API service
This guide will not cover the installation of Red Hat OpenShift or Red Hat Advanced Cluster Security. You can get your OpenShift cluster at try.openshift.com and explore the documentation for more information.
ServiceNow REST API configuration
With Red Hat OpenShift and Red Hat Advanced Cluster Security installed, let’s start with configuring a REST API Service to use in ServiceNow.
Logged into ServiceNow, navigate to Scripted REST APIs under System Web Services -> Scripted Web Services and click New.
Add a Name, an API ID and click Submit to create the service.
Figure 1: New Scripted REST Service in ServiceNow
With the REST service created, it’s time to configure the REST resource for alerts by adding a script to handle the REST API request and response.
To demonstrate the integration, this example uses a simplified script that takes the request, does some simple parsing and logs the alert information in ServiceNow.
This script can later be extended to handle actions on the different ServiceNow records you need using the standard ServiceNow API.
Locate the newly created service (rhacs from the example above) from the list of services presented, then under Resources click New.
Configure the resource with the following information as an example:
Name: alert
HTTP method: POST
Script:
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) { var data = JSON.parse(request.body.dataString); var deployment = data.alert.deployment; var policy_name = data.alert.policy.name; // Create example incident record var incident = new GlideRecord('incident'); incident.initialize(); incident.short_description = 'Automated incident created from Advanced Cluster Security'; incident.description = "Deployment '" + deployment.name + "' in namespace '" + deployment.namespace + "' violated policy ''" + policy_name + "'"; incident.insert(); // Log data from policy violation gs.info("Deployment '" + deployment.name + "' in namespace '" + deployment.namespace + "' violated policy ''" + policy_name + "'"); // Log complete object for debug gs.info(JSON.stringify(data)); })(request, response);
Note: To create an authenticated endpoint, make sure Requires Authentication and Requires ACL authorization are selected.
Figure 2: New Scripted REST Resource in ServiceNow
With the alert resource created, take a note of the Resource path (i.e. /api/xx/rhacs) and the ServiceNow instance name for the next step.
Figure 3: Resource API definition in ServiceNow
With this step done you now have a REST API endpoint available in ServiceNow to use in Red Hat Advanced Cluster Security. This endpoint will be used in the next step, when configuring a Notifier integration in Red Hat Advanced Cluster Security.
Create notifier integration in Red Hat Advanced Cluster Security
With a REST API endpoint configured in ServiceNow, it’s time to create a Generic Webhook notifier integration in Red Hat Advanced Cluster Security.
Navigate to the Integrations page: Platform Configuration -> Integrations
In the Notifier integrations section, select the Generic Webhook option and configure the endpoint using the ServiceNow instance and the REST API resource path from the previous step.
Integration name: ServiceNow
Endpoint: https://<servicenow-instance>/api/<rest-api-resource-path>
Figure 4: Generic Webhook integration in Red Hat Advanced Cluster Security
See Red Hat Advanced Cluster Security documentation for more information on generic Webhook integrations.
When configuring the Generic Webhook you can also add authentication details for ServiceNow. Add username and password if using basic auth or add additional headers with an access token if using an OAuth Client in ServiceNow. It's also possible to add extra fields to be included in the JSON payload sent from Red Hat Advanced Cluster Security.
Example:
Figure 5: Authentication configuration for Webhook
See ServiceNow product documentation for further information on how to set up OAuth.
Attach notifier to policies
With the notifier integration created in Red Hat Advanced Cluster Security, the next step is to attach the notifier to the policies of your choice.
Navigate to Platform Configuration -> Policy Management in Red Hat Advanced Cluster Security
-
Select the policy to update
-
Select Action -> Edit Policy
-
Check the ServiceNow integration under Attach notifiers
-
If no other changes to the policy are needed, simply Next-Next-Next-Save
-
Figure 6: Attach notifier to policy
With the policy updated it is now configured so that whenever a policy is violated an alert is triggered and sent to the notifier.
Before validating the integration and the alert in ServiceNow, verify that the policy selected actually has been violated and that the policy status is set to FAIL
.
Figure 7: Policy status in Red Hat Advanced Cluster Security
Verify integration in ServiceNow
When a policy in Red Hat Advanced Cluster Security configured with the notifier integration has been violated, an alert should have been triggered and sent to ServiceNow using the configured Scripted REST API endpoint.
Remember the example script from above? It included examples to create incident records, print deployment information and to send the body of the request to the ServiceNow Log.
With the integration working as expected, you would now see automatic incidents being created and the JSON data from the webhook when searching the log. The data will include a v1.Alert
object and include any custom fields configured.
Figure 8: ServiceNow incidents created with Red Hat Advanced Cluster Security alert data
Figure 9: Red Hat Advanced Cluster Security alert data in ServiceNow log
There you go! Red Hat Advanced Cluster Security alert data ready for use with your different ServiceNow records!
Summary
In this post we looked at integrating Red Hat Advanced Cluster Security with ServiceNow. We configured policies in Red Hat Advanced Cluster Security to forward alerts to ServiceNow whenever the policies are violated.
This enables a flexible way to get the security findings surfaced by Red Hat Advanced Cluster Security into your existing processes. With the example policy used in this guide, a CMDB or Problem record could be updated with all vulnerabilities found, but other policies in Red Hat Advanced Cluster Security would also enable additional flows to increase the security posture of the environment.
Red Hat Advanced Cluster Security ability to analyze runtime activity would for example make it possible to automatically create an incident record whenever an anomalous activity is detected. Policies in Red Hat Advanced Cluster Security and the ServiceNow Scripted REST API service can easily be customized to fit your requirements.
To learn more, check out Scripted REST API examples from ServiceNow and the guide on how to manage security policies with Red Hat Advanced Cluster Security.
Sobre o autor
Johan Wennerberg is a Solution Architect working with Enterprise Accounts at Red Hat, with a focus on OpenShift, Kubernetes, Linux and automation. Previously a Senior Consultant at Red Hat.
Mais como este
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Programas originais
Veja as histórias divertidas de criadores e líderes em tecnologia empresarial
Produtos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Red Hat Cloud Services
- Veja todos os produtos
Ferramentas
- Treinamento e certificação
- Minha conta
- Suporte ao cliente
- Recursos para desenvolvedores
- Encontre um parceiro
- Red Hat Ecosystem Catalog
- Calculadora de valor Red Hat
- Documentação
Experimente, compre, venda
Comunicação
- Contate o setor de vendas
- Fale com o Atendimento ao Cliente
- Contate o setor de treinamento
- Redes sociais
Sobre a Red Hat
A Red Hat é a líder mundial em soluções empresariais open source como Linux, nuvem, containers e Kubernetes. Fornecemos soluções robustas que facilitam o trabalho em diversas plataformas e ambientes, do datacenter principal até a borda da rede.
Selecione um idioma
Red Hat legal and privacy links
- Sobre a Red Hat
- Oportunidades de emprego
- Eventos
- Escritórios
- Fale com a Red Hat
- Blog da Red Hat
- Diversidade, equidade e inclusão
- Cool Stuff Store
- Red Hat Summit