Skip to main content
Skip table of contents

Configure ServiceNow

Endpoint Detection and Response (EDR) integrations provide our NDR solution with a level of enrichment and intelligence into malicious activity at the endpoint that we would otherwise not see. Collecting EDR telemetry and infusing it into our threat detection capabilities makes our NDR Cases and Incidents richer and more holistic because we now have the vantage point of the endpoint and the network. Not only do our NDR detections become substantial, the EDR integration can also help influence the risk or severity score of what we see in NDR.

Getting Started

Using the EDR vendor API POST /now/table/{tableName}, NDR sends out an API call for every incident update so that an incident is updated in ServiceNow.

REST API to Post Incident

POST /now/table/{tableName}

Inserts one record in the specified table.

Multiple record insertion is not supported by this method.

URL Format

Name

Value

Versioned URL/api/now/{api_version}/table/{tableName}
Default URL/api/now/table/{tableName}


Once the required details are collected, the telemetry is updated in the servicenow_info field of an incident. During this process, native NDR data is mapped to the ServiceNow fields and updated in the ServiceNow Incident table.

Configure a ServiceNow Integration in LogRhythm NDR

To configure ServiceNow:

  1. Click Settings, and then click Incident Management (ITSM).
  2. Click ServiceNow.
    The Service Now Integration page appears.

  3. Enter the integration credentials into the relevant fields.

    These credentials must be obtained from ServiceNow.

    FieldDescription
    Server URL

    The URL for ServiceNow.

    UserThe username for your ServiceNow account.
    PasswordThe password for your ServiceNow account.
    TagThe LogRhythm NDR tag used in your ServiceNow account.
  4. To verify the credentials have been entered correctly, click Test.
    If the information is correct, Connection Success appears. Otherwise, Connection Failed appears, meaning the credentials need to be verified and re-entered.
  5. If Connection Failed appears, click Update to re-enter credentials, and then click Test.
  6. When Connection Success appears, the ServiceNow configuration is complete within LogRhythm NDR.

Once ServiceNow is configured, LogRhythm NDR starts updating incident details to ServiceNow. A copy of the ServiceNow data that is appended to the LogRhythm Incident is sent to ServiceNow.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close