Integrating Invicti Enterprise with ServiceNow Incident Management
You can integrate ServiceNow (SNOW) Incident Management with Invicti Enterprise to streamline issue management. ServiceNow helps organizations track, prioritize, and share tasks across departments, enabling proactive issue detection and prevention.
Bi-Directional Integration
Invicti Enterprise supports bi-directional integration with SNOW, allowing issues to be automatically created, resolved, and reopened based on scan results. It uses user-defined Resolved and Reopened statuses in SNOW for this purpose. Our other Integrations can be viewed in the linked document.
This document explains how to integrate Invicti Enterprise with ServiceNow Incident Management.
This process involves four steps:
- Step 1: Set up the connection
- Step 2: Set up incident configuration in SNOW
- Step 3: Create a sample issue
- Step 4: Configure bi-directional webhooks (optional)
Step 1: Set up the connection
During this step, you will integrate Invicti Enterprise with ServiceNow Incident Management.
- Select Integrations > New Integration from the left-side menu.
- From the Issue Tracking Systems section, select ServiceNow Incident Management.
- Enter a name for the integration. This is the name of the configuration that will be displayed in other areas as well.
- Fill in the following required information:
- URL: ServiceNow Incident Management instance URL
- Username: Name of the user as in ServiceNow
- Password: The password used for the ServiceNow Incident Management account
- Select Load ServiceNow Details. If successful, your project details are displayed, allowing you to continue configuring your integration. Otherwise, an error message will appear.
Step 2: Set up incident configuration in SNOW
TIP: The Incident Configuration fields vary based on your configuration of the SNOW Incident Management. |
- In the Incident Configuration section, enter the Title Format. This is the string format that is used to create the vulnerability title.
- Select a Template: Standard or Detailed to see the specific information. This defines the issue description template type: Standard or Detailed. The Detailed template includes extra fields like Request and Response, visible in the ServiceNow Activity field.
- Configure the rest of the fields according to your configuration.
- From the Field Mappings section, select Add Mapping.
- Next to the Invicti Severity dropdown, select the Invicti Value dropdown.
- From the Select Field dropdown, select an option.
TIP: The Field Mappings have priority over the Optional Fields. For example, if you configure the Priority in the Optional Fields and the Field Mappings, Invicti Enterprise will prioritize the configuration in the Field Mappings. |
- Click Save.
Step 3: Create a sample issue
- Select Integrations > Manage Integrations from the left-side menu.
- From the Manage Integrations page, next to the relevant SNOW integration, select Edit.
- Click Create Sample Issue. Invicti Enterprise exports a sample issue to SNOW Incident Management to test the integration. If successful, the following ticket is opened in Incident Management:
Step 4: Register webhooks for bi-directional integration (optional)
Invicti Enterprise supports webhooks for real-time issue synchronization with SNOW Incident Management. After saving your integration, Invicti generates a Webhook URL—register this in SNOW and set your preferred Resolved and Reopen statuses.
- Resolved in SNOW → Fixed (Unconfirmed) in Invicti Enterprise, triggering a retest scan. If enabled, fixed issues are then closed.
- Reopen in SNOW → Revived in Invicti Enterprise automatically.
NOTE: To register the webhook, the integration between Invicti Enterprise and ServiceNow Incident Management, is required. |
To configure the bi-directional integration between Invicti Enterprise and ServiceNow Incident Management follow these steps:
- Configure notification for bi-directional integration
- Copy the webhook URL
- Configure the SNOW instance
Configure notification for bi-directional integration
- In Invicti Enterprise, select Notifications > Manage Notifications from the left-side menu.
- Next to the Scan Completed event, select Edit.
- From the Integration Endpoints field, select ServiceNow Incident Management.
- Click Save.
Copy the webhook URL
- Select Integrations > Manage Integrations from the left-side menu.
- Next to the relevant ServiceNow Incident Management Integration, select Edit.
- Scroll down to the Webhook Settings section.
- In the Webhook URL field, click Copy to clipboard icon.
NOTE: The Resolved Status in ServiceNow Incident Management must match the webhook script's status for proper synchronization. |
Configure the SNOW instance
- Search in the filter navigation textbox for “business rules”.
- Under System Definition, select Business Rules.
- From the Business Rules page, select New.
- Select Table, then Incident [incident].
- Enable the Advanced checkbox.
- In the When to Run tab, from the When dropdown, select after.
- Enable the Update checkbox.
- Select the Advanced tab.
- Modify the following script and fill in the script condition as illustrated:
Condition: current.incident_state.changesTo(6) 6 = Resolved 7 = Closed |
NOTE: Note that the Resolved status in the ServiceNow Incident Management integration must match the script condition. |
Script for amendment:
(function executeRule(current, previous /*null when async*/) { /* * Incident states * Resolved = 6 * Closed = 7 * * condition for sending incident * for resolved incidents use this * current.incident_state.changesTo(6) * * for closed incident use this: * current.incident_state.changesTo(7) */
// change endpoint variable with your Webhook URL in the ServiceNow integration // navigate to the ServiceNow integration https://www.netsparkercloud.com/integrations/integrations/ // paste your Webhook URL in the endpoint variable. It's a link similar to this: https://www.netsparkercloud.com/integrations/serviceNowWebhook?key=XXX&identifier=XXX var endpoint = ‘PASTE YOUR SERVICENOW WEBHOOK HERE’;
gs.info("Incident close code = " + current.close_code); gs.info("Incident number = " + current.number + " and id = " + current.sys_id + " will be sent."); //add current incident number to endpoint query endpoint = endpoint + "&caseNumber=" + current.sys_id; try { var request = new sn_ws.RESTMessageV2(); request.setHttpMethod('post'); request.setEndpoint(endpoint); request.setRequestBody("{}"); var response = request.executeAsync(); response.waitForResponse(60); var httpResponseStatus = response.getStatusCode(); gs.info("http response status_code: " + httpResponseStatus); } catch (ex) { var message = ex.getMessage(); gs.info(message); } })(current, previous);
|
- Click Submit.
Following these steps, Invicti Enterprise exports issues identified to ServiceNow Incident Management.
How to use bi-directional integration in Invicti Enterprise
The following tutorial walks you through steps to export issues identified by Invicti Enterprise to ServiceNow Incident Management.
- Select Scans > New Scan from the left-side menu.
- Create a new scan.
- In Scan Settings, go to Notifications and ensure the Scan Completed event has an integration endpoint.
- Launch the scan and wait for the scan completion.
- Navigate to ServiceNow and go to the Incidents page.
TIP: No issues found? Check the filter on the Incident page—it should be set to All |
- Update the issue to a Resolved or Closed state which was chosen earlier.
- In Invicti Enterprise, go to Issues > Waiting for Retest from the left-side menu to view your issues.
After the retest begins, if the vulnerability still exists, the issue will be reopened automatically. If the vulnerability is fixed, no action will be taken.
Manage the Incident Management integration
How to edit it
- Select Integrations > Manage Integrations from the left-side menu.
- Next to the relevant SNOW Incident Management integration, select Edit.
- Make the necessary changes, and click Save.
How to delete it
- Select Integrations > Manage Integrations from the left-side menu.
- Next to the relevant Incident Management integration, select Delete.
- In the Delete Integration popup, select Delete.
How to clone it
- Select Integrations > Manage Integrations from the left-side menu.
- Next to the relevant Incident Management integration, select Clone.
- Make the necessary changes, and click Save.
TIP: You can clone your integration to create as many incident management integrations as you need. However, due to security precautions, passwords cannot be cloned. |
Export issues to SNOW Incident Management
There are several ways to send issues to SNOW Incident Management with Invicti Enterprise:
Automatic issue submission
Once the integration is configured, Invicti Enterprise can automatically send issues to SNOW Incident Management after a scan is completed. For more information, refer to Using bi-directional integration or Managing Notifications document.
Send issues from the Issues page
To send one or more issues from the Issues page follow these steps:
- Navigate to Issues > All Issues from the left-side menu.
- Select one or more issues to send.
- Click Send To > ServiceNow Incident Management.
Send issues from the Recent scans page
To send an issue from the Recent Scans page follow these steps:
- Select Scans > Recent Scans from the left-side menu.
- Next to the relevant scan, select Report and scroll to the Technical Report section.
- Select an issue from the list and view its details.
- Click Send To > ServiceNow Incident Management.
TIP: If this vulnerability has already been submitted to SNOW Incident Management, it will be accessible there. Duplicate submissions are not allowed. |
Prevent reopening issues in SNOW IM
When the option “Do not re-open issues marked as False Positive or Accepted Risk” is enabled and the vulnerabilities previously marked as False Positive or Accepted Risk are revived during scans, the system doesn’t reopen the issue in ServiceNow Incident Management. This option is disabled by default.
How to enable the option
- Select Integrations > Manage Integrations from the left-side menu.
- Click Edit next to your SNOW IM integration.
- Navigate to Webhook Settings.
- Under the Webhook URL, enable the Do not re-open issues marked as False Positive or Accepted Risk checkbox.
- Click Save to close the settings.
NOTE: When reviewing the history of detected issues, a message will appear if the option is enabled: “The issue will not be reopened in the Issue Tracking System because it has been marked as either a False Positive or an Accepted Risk.” |