ServiceNow ITSM

Overview

The Keeper Security ITSM application provides a secure and streamlined integration between Keeper Security Alerts and ServiceNow’s Security Incident Response (SIR) module. It enables enterprise customers to centrally manage and respond to Keeper-generated security alerts by automating their intake, transformation, and creation as Security Incident tickets within ServiceNow.

This integration helps security teams maintain visibility, improve response times, and ensure that Keeper Security alerts are managed consistently within existing ServiceNow SIR workflows.

ServiceNow Store Listing:

https://store.servicenow.com/store/app/e26cda5893a97a90a0f2fc1d6cba105a

Features

• Receive Keeper Security alerts and incidents through a protected webhook endpoint, ensuring that only authorized sources can submit data to the platform.

• Protect the webhook endpoint with OAuth 2.0, enabling secure, token-based access for external systems.

• Allows administrators to generate and manage bearer tokens directly within the application for seamless integration with Keeper Security alert module.

• Guided Setup to configure authentication, validate data ingestion, and ensure smooth end-to-end operation without manual coding.

• Store incoming alerts in a custom import set table and automatically transform them into Security Incident Response (SIR) records using predefined mapping rules.

• Provides custom priority mapping for Keeper Security alert types enabling SIR administrators to work on incidents on priority basis.

Example Use Cases

The integration with ServiceNow is flexible, allowing customers to assign any Keeper event to a SIR incident. Examples are below.

Password BreachWatch In Keeper Vault

1. Trigger: BreachWatch has detected a record in the Keeper vault with a vulnerable password.

2. Action: An alert will be sent to ServiceNow webhook that contains the BreachWatch incident.

3. ServiceNow SIR: Keeper Security ITSM app will receive the alerts, checks for priority mapping and creates a Security Incident Response Ticket.

4. Result: SIR admins can audit, and work on the incident reported.

Privileged User Behavior Monitoring

1. Trigger: An admin user created a new Team or new policy in Keeper Administrative account.

2. Action: An alert will be sent to ServiceNow webhook that contains the incident information.

3. ServiceNow SIR: Keeper Security ITSM app will receive the alerts, checks for priority mapping and creates a Security Incident Response Ticket.

4. Result: SIR admins can audit, and work on the incident reported.

Prerequisites

• Alerts configurations in Keeper Admin Console

• Security Incident Response sn_si module in ServiceNow

Roles Required In ServiceNow

Configuration Instructions

Configuring the application in ServiceNow

To Configure the Keeper Security ITSM App for ServiceNow on the ServiceNow platform, perform the following steps

1. Log in to the ServiceNow instance using your Administrator privileges.

2. Navigate to the All tab > Search for Keeper Security Ticketing > Guided Setup

1. Click on create a ServiceNow integration account > Configure

2. Enter the User ID and click on the Internal Integration User checkbox.

   Once a user is created, click on the created user and then click on set password.

   Provide the role as x_keese_keeper_sec.keeper_security_app

1. In Guided Setup, click configure on the section Create System OAuth Application Registry > Click on New > Create an OAuth API endpoint for external clients

1. Create an OAuth registry and fill the form with required fields.

1. In Guided Setup, click configure on the section Select your credentials for generating token > Click on New

1. Once the form is filled correctly you can use the Auth token and webhook URL to configure alerts in the Keeper Admin Console.

Configuring alerts in the Keeper Admin Console

1. Login to Keeper Admin Console > Click on Reporting and Alerts > Alerts

2. Enter the Alert Name as ServiceNow Alerts

1. Click on Add Recipient > Add Webhook

2. Enter the URL and Token received on Step 5 of configuring the app in ServiceNow

1. Click on Save.

Now, Keeper Security will send the alerts to the ServiceNow instance via Webhook URL and the token we used.

1. To view security incidents in ServiceNow, navigate to All tab > Search for Keeper Security Ticketing > Keeper Security Incidents

1. Users can also get complete details of additional alert payload received from Keeper in the Security Incident Form as below.

Configuring Keeper Alert Priority Levels

In Guided Setup, You can configure the priority levels for Keeper Security Event Types. This allows you to map Keeper events to ServiceNow incident priority levels.

Testing the configuration

Users can send an alert after configuration and can check Keeper Security Alerts - Import table - if a new entry shows there, this marks the successful connection establishment.

Troubleshooting

In case of a new Event Type introduced by Keeper, users can configure and add that new Event Type in the sys_choice table.

Please follow steps below in case of such events:

1. In All, search for System Definition, and Choice Lists.

1. Click New, then below form will appear

• Choose Table as - Keeper Security Events Types.

• Choose Element as - Keeper Security Event Types.

• In Label, you can enter the name of the New Event Type.

• In Value, you have to enter the value that the category field contained in the alert payload for that new event type.

1. Once done, Click submit.

2. Head over to the Guided setup and then configure the priority for the new Event Type you just created.