Last updated at Tue, 18 Feb 2020 14:08:35 GMT
This post is part two of our blog series covering the recently released InsightVM Integration for ServiceNow CMDB application available on the ServiceNow Platform. For an introduction to the application, getting started details, and a walkthrough of the InsightVM Asset Tagging integration, see part one.
With InsightVM's network-based scanning capabilities, you can discover assets that are known to the CMDB and those that are not. However, without a process for importing that data, it can be difficult to keep the CMDB up-to-date with the current state of the network as viewed from the lens of InsightVM. Even in situations where the discovery mechanisms provided by ServiceNow are utilized, the coverage may be different from that of scan engine infrastructure deployed for InsightVM. Additionally, InsightVM's asset data includes key metrics that are useful for understanding the risk of assets in your environment.
To provide additional visibility into assets on your network, the ServiceNow Asset Import component of the InsightVM Integration for ServiceNow can be used to better ensure that data in the ServiceNow CMDB reflects the current state of your network. Even for assets already in the CMDB, the integration can still be a useful tool for providing additional vulnerability risk related metrics for those assets. Device details pulled from InsightVM into ServiceNow include:
- IP Address
- MAC Address
- Host Name
- Operating System
- InsightVM Connection Name
- Asset ID
- Risk Score
- Last Assessed for Vulnerabilities (Date and Time)
- Criticality Tag
- Vulnerability Counts
In the application menu within ServiceNow this is referred to as ServiceNow CMDB Asset Import. This functionality is great for ensuring that the ServiceNow CMDB is consistent with the current state of your network based on InsightVM scan data. Each asset is imported with a Discovery Source of InsightVM, making it easy to identify Configuration Items (CIs) that were created or updated by the integration.
Let's review this integration in further detail.
Walkthrough
From the Rapid7 InsightVM Integration for CMDB menu in ServiceNow, you'll find three submodules specific to the ServiceNow CMDB Asset Import integration:
- Jobs
- CMDB Class Maps
- Run Statistics
As a recap on jobs (covered in our first post), they are the main configuration interface for each integration. Records defined on the the jobs table for the integration allow for scheduling of integration runs and configuration of the options for the integration. In the case of the ServiceNow Asset Import integration, the job level configuration includes the InsightVM Security Console connection from which assets will be imported, the scope of InsightVM assets to import into the CMDB, and the schedule for the integration.
CMDB Class Maps provide the capability to define the CMDB classes that will be associated with assets that are imported in the CMDB. This is done by matching regular expression patterns for the asset operating system to CMDB classes. The following CMDB Class Maps are provided with the application:
- Linux Server
- Windows Server
- Windows Desktop
- MacOS Device
- Default Computer
The CMDB Class Maps set on a job record are processed sequentially with the first match being used. This means that it is important to order your class maps from highest degree of specificity to lowest. For instance, the regular expression pattern for Windows Server is windows server and the pattern for Windows Desktop is windows. If the Windows Desktop class map is specified prior to Windows Server, all windows devices will end up getting assigned the CMDB class from the Windows Desktop class map, as it is less specific than the one for Windows Server devices.
Finally, Run Statistics provide high-level statistics for each integration run, including the following:
- Start
- End
- CIs Inserted
- CIs Updated
- CIs Deleted
- CIs Unchanged
- Identification Errors
Identification errors signify assets for which no class map was defined on the job configuration. If you do not wish to import all assets, these errors may be normal. However, if you wish to import all assets, a default class map should be defined on the job configuration with a wildcard .* regular expression pattern. The application provides this in the Default Computer class map.
Important: The integration will only import assets that have a hostname that was identified during the InsightVM scanning process. This is required as the integration uses the hostname of the asset to perform the lookup against the ServiceNow CMDB and determine whether a CI for the asset should be created or an existing one updated.
We'll cover each of these in further detail in our walkthrough, demonstrating our use case of importing assets unknown to the CMDB into ServiceNow once they are identified by InsightVM.
Creating a new job configuration
If you already have the application set up and configured, you can follow along from this point to configure the integration for your environment. To get started with setup, check out our getting started documentation, which covers installation of the application, setup of a connection to InsightVM, and configuration of the Discovery Source required for asset import.
Configuring a new Job will allow for running the integration and importing assets from an InsightVM Security Console. If you have multiple security consoles or different requirements based on asset scope, you can configure multiple job records to meet this need. To get started, log in to ServiceNow and navigate to the Rapid7 InsightVM Integration for CMDB -> ServiceNow CMDB Asset Import -> Jobs module and click the New button to create a new job configuration, as shown in the following image:
The new job configuration form looks like this:
Details for each of the fields in the above form are as follows:
| Field name | Description |
|---|---|
| Name | A friendly name for the job |
| InsightVM Connection | Reference to an InsightVM Connection created via the Rapid7 InsightVM Integration for CMDB -> InsightVM Connections module |
| CMDB Class Maps | Allow for regular expression patterns to be defined that designate which ServiceNow CMDB class should be associated with an InsightVM asset based on the asset's operating system |
| InsightVM Scope | Options that allow for limiting the scope of assets by specifying Asset Group/Site/Tag name regular expression patterns |
| Schedule | Provides the same options as other ServiceNow scheduled jobs, allowing for the job to be run on a specified interval |
There are four CMDB Class Maps included with the application, making it easy to get started. If you're following along, configure your job then save before moving on to review CMDB Class Maps.
CMDB Class Maps
CMDB Class Maps allow for configuration of the ServiceNow CMDB class that is associated with an InsightVM asset when it is imported. As stated previously, this is done by using a regular expression pattern to match the asset's operating system name as identified by InsightVM scans. These are then defined on a ServiceNow CMDB Asset Import integration job. It's important that the class maps are ordered from most specific to least specific, as they are processed sequentially with the first match being used. All regular expression patterns are case-insensitive.
The ServiceNow CMDB Asset Import -> CMDB Class Maps module provides a list of currently configured class maps. These can be applied to as many job configurations as your use case requires. Below, you'll find the form for the built-in Linux Servers CMDB Class Map:
Configuration of class maps is fairly straightforward, as you can see above. Just configure a name, the CMDB class to associate with the map, and a regular expression and it's ready for use. The CMDB class can be any table that begins with the cmdb_ci prefix.
With a job configured and a better understanding of CMDB Class Maps, we're ready to run the job.
Running a job
In the first post in this series, we discussed the ways in which jobs can be run by the application. We'll again use the Execute Now button from the job form to initialize a ServiceNow CMDB Asset Import job run.
When running the integration, there are a couple things worth noting:
- The ServiceNow Identification and Reconciliation Engine API is used by the application to correlate InsightVM assets with ServiceNow CMDB CIs. The hostname from the asset is the only identifier used. As such, only assets with hostnames discovered by InsightVM will be imported into the CMDB by the integration.
- If no matching CMDB Class Map is found for an asset's operating system, the asset will not be imported into the CMDB. As such, it is important to configure a class map with a
.*regular expression pattern to catch any assets for which no other matches are found if you wish to import all assets in scope for the job.
Reviewing results
Demo data
In the environment for this walkthrough, there are no existing CIs in the CMDB. The InsightVM Security Console contains the following assets:
Additionally, here's a look into the vulnerabilities on the Windows host above to give some context to the risk metrics that we'll look at later once the import is complete:
Run results
After running the integration, the following CIs were created (please note that there are two screenshots, as the rows are too long to fit in one):
Reviewing the above screenshots, you'll see that the assets in the demo InsightVM environment were imported successfully. In addition to asset information being imported, vulnerability risk-related metrics were also imported. Based on the CMDB Class Maps defined on the job configuration, a CMDB class was associated with each CI during the import process. The InsightVM Connection Name is also assigned to assist with identifying which connection was used for the import in the event that you have multiple InsightVM Security Consoles in your environment.
Finally, we can review the Rapid7 InsightVM Integration for CMDB -> ServiceNow CMDB Asset Import -> Run Statistics module to see the metrics for the job run:
Reviewing Logs
As noted in our prior post in this series, one of the following built-in ServiceNow user roles is required to view the Logs module in the application as log details are written to the ServiceNow System Log:
- admin
- workflow_admin
With the correct permissions, the Logs module is available within the Rapid7 InsightVM Integration for CMDB -> Diagnostics -> Logs. The ServiceNow CMDB Asset Import Integration logs details related to normal operation, including InsightVM report generation for data collection, the asset import process, and cleanup procedures. If there are any errors or warnings related to the run, these will also be logged to the application log; however, in a troubleshooting scenario it can also be helpful to review the System Logs -> System Log -> All module in addition to the application log. Below is an example of the logs generated by the integration during normal operation:
Closing
With this example of the new ServiceNow CMDB Asset Import functionality provided by the Rapid7 InsightVM Integration for ServiceNow CMDB, you should be ready to get started with it in your environment! If you have yet to install the application, the details for it are available on the application page within the ServiceNow store here.
Be on the lookout for the final post in this series, where we'll cover the last integration provided by the application, automating InsightVM Site Configuration.
