SBN

Bi-Directional Sync with ServiceNow and Smart SOAR

To achieve bi-directional sync, two platforms need to share information and be able to act on that information. This is challenging to achieve when two platforms are owned by separate vendors and there is no coordination between the development teams. In this case, it’s up to one of the platforms to deliver on the capabilities of bi-directional sync by itself.

D3 is the first SOAR vendor to have accomplished this with Microsoft Sentinel. Now, in this article, we’re announcing bi-directional sync capabilities completed for one of the most popular ITSM platforms in the world: ServiceNow.

The Requirements

Enterprises and MSSPs that use ServiceNow for ticket management are faced with a challenge when deploying a SOAR solution with built-in case management, such as Smart SOAR. In this case, updates between incidents in Smart SOAR and their respective tickets in ServiceNow need to be kept in sync, and vice-versa. This can make it so that MSSPs can work solely out of Smart SOAR, trusting that any updates they make will be shared with their clients via ServiceNow, and any updates their clients make to ServiceNow tickets will be reflected in the corresponding Smart SOAR incident.

The Solution

In order to achieve these results, D3 engineers leveraged three capabilities of Smart SOAR:

  1. Scheduled GET requests to ServiceNow to check for updated tickets.
  2. An event playbook to check for existing incidents and make necessary changes.
  3. Incident playbook triggers to send updates from Smart SOAR incidents to ServiceNow tickets.

To learn more about the difference between event and incident playbooks, read this article that describes Smart SOAR’s tiered automation structure.

Updating Smart SOAR with Changes to ServiceNow Tickets

Typically, new alerts and tickets are ingested into Smart SOAR using a scheduled GET request. In this case, Smart SOAR is sending a request to ServiceNow every minute to check for tickets with a new Updated Time field. This will tell Smart SOAR that a change has been made to the ticket since the last check and it will retrieve the ticket data.

Smart SOAR sends a request to ServiceNow periodically to check for tickets with a new Updated Time

Then, an event playbook will trigger to search through Smart SOAR’s event database for existing events that correspond to the updated ServiceNow ticket. If one is found, it will update the event, which will be reflected in the security incident.

If no existing event is found, then the ServiceNow ticket can be considered new, and instead, the event playbook will search Smart SOAR’s incident database for the incident that created it. When the incident is found, the ServiceNow ticket details will be appended for future automations and to assist the investigation team.

Workflow for updating Smart SOAR with changes to ServiceNow tickets

Updating ServiceNow Tickets with Changes to Smart SOAR Incidents

Using Smart SOAR’s Incident Playbook Triggers, updates made to incidents can be sent to ServiceNow using conditional checks and API-calls.

Workflow for updating ServiceNow Tickets with changes to Smart SOAR incidents

Incident triggers are also used to update the incident forms inside of Smart SOAR. These forms are used to display ServiceNow ticket information, so the user doesn’t need to go into the raw data or go to ServiceNow to check the ticket details.

See ServiceNow ticket information within Smart SOAR

In the previous step, when an updated ticket is ingested from ServiceNow, the event playbook goes into the corresponding incident and updates the raw data. Then, incident playbook triggers are used to update this dynamic form with the following workflow:

Smart SOAR workflow to update status and comments in an incident form

Closing Thoughts

The integration of bi-directional sync between Smart SOAR and ServiceNow marks a significant technical milestone. Achieving this level of synchronization without direct vendor collaboration underscores the versatility and power of Smart SOAR. This capability ensures that any actions taken in one system are accurately reflected in the other, streamlining the incident response process and mitigating the risk of oversight or data silos. It’s a clear indication of D3’s commitment to pushing the boundaries of what’s possible in SOAR technology and provides a practical, impactful tool for MSSPs and enterprises that are reliant on coordinated incident management. This accomplishment not only augments the efficiency of MSSPs but also establishes a new benchmark for SaaS integration in the industry.

The post Bi-Directional Sync with ServiceNow and Smart SOAR appeared first on D3 Security.

*** This is a Security Bloggers Network syndicated blog from D3 Security authored by Flora Zhang. Read the original post at: https://d3security.com/blog/bi-directional-sync-with-servicenow-and-smart-soar/