ServiceNow (SN) is pretty easy to integrate with virtually any API capable device. I was able to quickly setup SN developer instance to receive security logs from Palo Alto networks (PAN) firewall and make them available through desktop as wells as mobile interface.

SN reporting on logs received from PAN firewall (desktop of the left, mobile interface on the right)

This is literally as easy as creating table ‘u_threat’ (‘u’ to prefix user table) within SN with string columns corresponding to ones setup in predefined HTTP server profile on PAN.

PAN HTTP Server Profile for ServiceNow

No scripting is necessary on SN side for this, but I use one to create table in order to be able to recreate it later (run as one time ‘Background Script’ in SN). The other way to be able to recreate table later is to use SN update sets.

var table_name = 'Threat'

var fnames = ["Action","App","Category","Content_type","Description","Destination","Device","Dport","Rule","Severity","Short description","Source", "Source User"], fnamesLength = fnames.length;

var attrs = new Packages.java.util.HashMap(); for (var i = 0; i < fnamesLength; i++) {

var ca = new GlideColumnAttributes(fnames[i]);

ca.setType("string");

ca.setUsePrefix(false);

attrs.put(fnames[i], ca);} var tc = new GlideTableCreator("u_"+table_name.toLowerCase(), table_name);

tc.setColumnAttributes(attrs);

tc.update();

It is now possible to create UI Action button ‘Block Source’. It will use SN server side JS script API call ‘RESTMessageV2' to register source IP address taken from SN form into PAN dynamic address group (DAG-described in my other post here) . This has to be done using MID server (‘setMIDServer’) because SN is provided in SaaS model and MID server isinstalled on premises to initiate API call to private destination.

Mobile interface with ‘Block Source’ button

See the corresponding UI Action script. Because it is not production, IP address of PAN firewall as well as API key (‘ABC’) are hard coded (the good place for it is ‘sys_properties’ table). The script updating PAN DAG group named ‘SN’. The source address is wrapped by ‘xml1’ and ‘xml2’ strings.

UI Action script to block source IP address on PAN firewall

ServiceNow provides Orchestration application which make automation workflows easier to build. There is Palo Alto Networks integration available in the ServiceNow store but it requires Security Incident Response (as well as Orchestration support). Also in PAN GitHub repository there is SyncServiceNow to demonstrate synchronization of assets and their attributes from ServiceNow into registered IP tags on a Palo Alto Network firewall. This is the advantage of SN over python based automation frameworks like Phantom/Splunk or Demisto.