Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

REST APIs for third-party integration with Security Operations

REST APIs for third-party integration with Security Operations

The Security Operations base system includes a series of scripted REST APIs that allow customers and partners to easily integrate with an existing Security Operations deployment. The APIs allow you to gather data from outside of your system (for example, a Python script is used to receive data from VirusTotal) and send it back to your instance.

Scripts written in almost any language (Python, for example) can be used with the APIs to perform customer-specific processes. The scripts must be written in a language able to make an outside-facing HTTP Post call. For example, if you have a Java application, you must use a library, such as the java.net.HttpUrlConnection package, to construct an HTTP call and pass in a JSON string as Body for the message.

the API is solely used to add data that was gathered outside of our system, e.g. if you wrote VT python script and receive data from VT, you could send that data back to the SN instance

Authentication

All operations within the API definitions use platform authentication provided by the Scripted REST API operation feature. To access, navigate to System Web Services > Scripted Web Services > Scripted REST APIs and locate the SecOps Integration Capabilities API.
Figure 1. Scripted REST Service
Scripted REST Service

The user and the user’s domain are readily available within the context of the API. Records can be tied to a user, an audit path to be established, and domain separation accomplished. Also, since you are authenticated as a specific user, you can use GlideRecordSecure to prevent any unauthorized access to data.

Authorization

To protect the record creation process from users outside of the Security Operations application, you must have the sn_sec_cmn.api_write role. Only users with this role can access the APIs.

Configuration request parameters

The following request parameters are available.
Name Default Description
ignore_mandatory_fields false If set to true, the record persists even if mandatory fields are not filled in.
include_wrap false If set to true, the response includes the instance-provided standard wrapper for Scripted REST APIs.
simple_response false If set to true, the response includes only whether the operation was successful.

Error responses

The following error responses may occur.
Error message When does it occur? Solution
Insufficient access User does not have the sn_sec_cmn.api_write role. Add the role to the user.
Invalid post body Request body is empty or an empty object. Conform to the API definition.
No fields supplied Data fields provided to persist are empty. Conform to the API definition.
Mandatory fields missing: x,y,z Mandatory fields are missing. Conform to the table definition of the target table or set ignore_mandatory_fields to true.
Unable to persist record Unable to persist parsed record. GlideRecord insert() failed, further analysis is required.
Unknown error Occurs if no known error path has been followed. Further analysis is required.

CI enrichment use case

Using your third-party scripts, you can write to the Configuration Item Enrichment [sn_sec_cmn_ci_enrichment_result] table for CI enrichment. The enrichment records are based on existing capabilities that provide detailed information about a record from a third-party source.

Sample request and responses for the CI enrichment use case are shown here.

Create-Request for CI enrichment

CI Enrichment: Create –Request

Create-Response for CI enrichment

CI Enrichment: Create –Response

Observable enrichment use case

Using your third-party scripts, you can write to the Observable Enrichment Result [sn_ti_observable_enrichment_result] table for observable enrichment. The enrichment records are based on existing capabilities that provide detailed information about a record from a third-party source.

Sample request and responses for the observable enrichment use case are shown here.

Create-Request for observable enrichment

Observable Enrichment: Create–Request

Create-Response for observable enrichment

Observable Enrichment: Create Response
Note: In addition to enriching existing records, you can also use Security Operations enrichment data mapping to add new records to tables by passing in an enrichment_mapping_id for an existing enrichment mapping and a corresponding raw_data string that can be parsed by the mapping process.

Threat lookup use case

Using your third-party scripts, you can write to the Threat Lookup Result [sn_ti_lookup_result] table for threat lookup results. The lookup records are based on existing capabilities that provide detailed information about a record from a third-party source.

Sample request and responses for the threat lookup use case are shown here.

Create-Request for threat lookups

Create-Request for threat lookups

Create-Response for threat lookups

Create-Response for threat lookups