Integrating Invicti Enterprise with ServiceNow Incident Management

This document is for:

Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

You can integrate ServiceNow (SNOW) Incident Management with Invicti Enterprise to manage issues.

Incident Management is an issue-tracking system that also helps organizations prioritize and share tasks across departments. So, you can pinpoint indicators of problems to prevent issues and predict future ones.

Supporting bi-directional integration

Invicti Enterprise support bi-directional integration with SNOW Incident Management. So, you can resolve and reopen issues according to the scan result. Also, you can create issues automatically. Invicti Enterprise uses user-provided resolved and reopened statuses in ServiceNow Incident Management for this purpose.

This topic explains how to integrate Invicti Enterprise with ServiceNow Incident Management.

For further information, see What Systems Does Invicti Integrate With?

ServiceNow Incident Management fields

This table lists and explains the ServiceNow fields on the New ServiceNow Incident Management Integration page.

Button/Section/Field	Description
Name	This is the name of the configuration that will be shown elsewhere.
URL	This is the ServiceNow Incident Management instance URL.
Username	This is the name of the user.
Password	This is the password that is used for the ServiceNow Incident Management account.
Title Format	This is the string format that is used to create the vulnerability title.
Template	This is the type of issue description template. There are two template types for issue templates: Standard and Detailed. The Detailed template has additional fields such as Request and Response. So, you can view them in the Activity field on ServiceNow.

Integrating Invicti Enterprise with the Incident Management

There are two steps to this integration:

Setting up the connection with the Incident Management
Configuring project details for integration

Step 1. How to integrate Invicti Enterprise with the ServiceNow Incident Management

Log in to Invicti Enterprise.
From the main menu, select Integrations > New Integration.
From the Issue Tracking Systems section, select ServiceNow Incident Management.

In the Name field, enter a name for the integration.
In the Mandatory section, complete the connection details:
- URL (ServiceNow Server)
- ServiceNow Username
- ServiceNow Password
Select Load ServiceNow Details.

If successful, Invicti displays your project details to continue configuring your integration. Otherwise, Invicti displays an error message.

Step 2. How to configure your SNOW Incident Management instance with Invicti Enterprise

The Incident Configuration fields vary based on your configuration of the SNOW Incident Management.

From the Incident Configuration section, enter the Title Format.
From the Template section, choose a template type. (Based on the template selection, you can view Response and Request information in the Activity field on ServiceNow.)

Configure the rest of the fields according to your configuration.
From the Field Mappings section, select + Add Mapping.
Next to the Invicti Severity drop-down, select the Invicti Value drop-down.
From the Select Field drop-down, select an option. When selected, a drop-down appears. Select an option.

The Field Mappings have priority over the Optional Fields. For example, if you configure the Priority in the Optional Fields and the Field Mappings, Invicti Enterprise will prioritize the configuration in the Field Mappings.

Select Save.

If successful, Invicti Enterprise saves your integration.

Creating a sample issue to test integration

From the main menu, select Integrations > Manage Integrations.
From the Manage Integrations page, next to the relevant SNOW integration, select Edit.
Select Create Sample Issue.

Invicti Enterprise exports a sample issue to SNOW Incident Management to test the integration. If successful, the following ticket is opened in the Incident Management:

How to edit the Incident Management integration

From the main menu, select Integrations > Manage Integrations.
Next to the relevant SNOW Incident Management integration, select Edit.
Make the necessary changes, and select Save.

How to delete the Incident Management integration

From the main menu, select Integrations > Manage Integrations.
Next to the relevant Incident Management integration, select Delete.
From the Delete Integration pop-up, select Delete.

How to clone the Incident Management integration

You can clone your integration to create as many incident management integrations as you need. However, due to security precautions, passwords cannot be cloned.

From the main menu, select Integrations > Manage Integrations.
Next to the relevant Incident Management integration, select Clone.
Make the necessary changes, and select Save.

Exporting issues to SNOW Incident Management

There are several ways to send issues to SNOW Incident Management with Invicti Enterprise:

How to export reported issues to projects in the Incident Management

Once the integration has been configured, you can configure Invicti Enterprise to automatically send issues to SNOW Incident Management after scanning has been completed. For further information, see Managing Notifications.
You can send one or more issues from the Issues page:
1. From the main menu, select Issues > All Issues.
2. On the Issues page, select one or more issues you want to send.
3. Select Send To > ServiceNow Incident Management.

A pop-up is displayed, with a link to the issue you have sent to the SNOW Incident Management. If there is an error, this information will be displayed instead.

You can send an issue from the Recent Scans page:
1. From the main menu, select Scans > Recent Scans.
2. Next to the relevant scan, select Report.
3. Scroll down to the Technical Report section.
4. From the list of detected issues, select an issue and display its details.

Select Send To > ServiceNow Incident Management.

If you have already previously submitted this vulnerability to SNOW Incident Management, it will already be accessible. You cannot submit the same issue twice.

Registering webhook for bi-directional integration

To enhance issue synchronization support, Invicti Enterprise also offers webhook support. This enables you to detect any status changes in ServiceNow Incident Management issues opened by Invicti Enterprise.

Invicti Enterprise generates a Webhook URL after you save your integration settings. When you register this link as a webhook in your ServiceNow Incident Management project and enter your preferred Resolved and Reopen statuses, you will complete Invicti Enterprise issue synchronization for your integration.
When you change your ServiceNow Incident Management issue’s status to your preferred Resolved status, the issue is automatically marked as Fixed (Unconfirmed) in Invicti Enterprise, and a retest scan is started. If you select the After retesting, change the status of fixed vulnerabilities to Closed checkbox, and the issue will be closed.
When you change your ServiceNow Incident Management issue’s status to your preferred Reopened status, your corresponding Invicti Enterprise issue is automatically marked as revived.

Prerequisite

Integrate Invicti Enterprise with SNOW Incident Management

There are 3 steps to configure the bi-directional integration between Invicti Enterprise and ServiceNow Incident Management.

Configure notification for bi-directional integration
Copy the webhook URL
Configure the ServiceNow instance

Step 1. Configuring notification for bi-directional integration

Log in to Invicti Enterprise.
Select Notifications > Manage Notifications.
Next to the Scan Completed event, select Edit.
From the Integration Endpoints field, select ServiceNow Incident Management.
Select Save.

Step 2. Copying the webhook URL

From the main menu, select Integrations > Manage Integrations.
Next to the relevant ServiceNow Incident Management Integration, select Edit.
Scroll down to the Webhook Settings section.
In the Webhook URL field, select Copy to clipboard.

Resolved Status is a ServiceNow Incident Management incident status to match when the webhook script has been added. They must be the same.

Step 3. Configuring ServiceNow Incident Management for bi-directional integration

Log in to ServiceNow.
In the Filter Navigation textbox search for ‘business rules’.

Under System Definition, select Business Rules.
From the Business Rules page, select New.
Select Table, then Incident [incident].

Select the Advanced checkbox.
In the When to Run tab, from the When drop-down, select after.
Enable the Update checkbox.

Select the Advanced tab.
Modify the following script and fill in the script condition as illustrated:

Condition: current.incident_state.changesTo(6)

6 = Resolved
7 = Closed

Note that the Resolved status in the ServiceNow Incident Management integration must be matched with the script condition.

Script:

(function executeRule(current, previous /*null when async*/) {
    /* 
     * Incident states 
     * Resolved = 6
     * Closed = 7
     *
     * condition for sending incident
     * for resolved incidents use this
     * current.incident_state.changesTo(6)
     * 
     * for closed incident use this:
     * current.incident_state.changesTo(7)
     */
    
    // change endpoint variable with your Webhook URL in the ServiceNow integration
    // navigate to the ServiceNow integration https://www.netsparkercloud.com/integrations/integrations/
    // paste your Webhook URL in the endpoint variable. It's a link similar to this: https://www.netsparkercloud.com/integrations/serviceNowWebhook?key=XXX&identifier=XXX

    var endpoint = ‘PASTE YOUR SERVICENOW WEBHOOK HERE’;
    
    gs.info("Incident close code = " + current.close_code);
    gs.info("Incident number = " + current.number + " and id = " + current.sys_id + " will be sent.");
    //add current incident number to endpoint query
    endpoint = endpoint + "&caseNumber=" + current.sys_id;
    try {
        var request = new sn_ws.RESTMessageV2();
        request.setHttpMethod('post');
        request.setEndpoint(endpoint);
        request.setRequestBody("{}");
        var response = request.executeAsync();
        response.waitForResponse(60);
        var httpResponseStatus = response.getStatusCode();
        gs.info("http response status_code: " + httpResponseStatus);

    } catch (ex) {
        var message = ex.getMessage();
        gs.info(message);
    }
})(current, previous);

Select Submit.

Following these steps, Invicti Enterprise exports issues identified to ServiceNow Incident Management.

[Tutorial] Using bi-directional integration in Invicti Enterprise

The following tutorial walks you through steps to export issues identified by Invicti Enterprise to ServiceNow Incident Management.

How to use bi-directional integration in Invicti Enterprise

Log in to Invicti Enterprise.
From the main menu, select Scans > New Scan.
Configure your scan. For further information, see Creating a new scan.
From the Scan Settings, select Notifications to make sure that the Scan Completed event has an integration endpoint.

Launch the scan and wait for the scan completion.
Navigate to ServiceNow and go to the Incidents page.

No issues? Check the filter on the Incident page. It should be set to All.

Update the issue to a Resolved or Closed state which was chosen earlier.
Go to Invicti Enterprise.
From the main menu, select Issues > Waiting for Retest to see your issue(s).

After the retest starts, if the issue is retested correctly and if the vulnerability exists, it will be reopened by the system. If the vulnerability is fixed, no action will be taken.