# ServiceNow ITSM
## Overview The Keeper Security ITSM application provides a secure and streamlined integration between Keeper Security Alerts and ServiceNow’s Security Incident Response (SIR) module. It enables enterprise customers to centrally manage and respond to Keeper-generated security alerts by automating their intake, transformation, and creation as Security Incident tickets within ServiceNow. This integration helps security teams maintain visibility, improve response times, and ensure that Keeper Security alerts are managed consistently within existing ServiceNow SIR workflows. ServiceNow Store Listing: ## Features * Receive Keeper Security alerts and incidents through a protected webhook endpoint, ensuring that only authorized sources can submit data to the platform. * Protect the webhook endpoint with OAuth 2.0, enabling secure, token-based access for external systems. * Allows administrators to generate and manage bearer tokens directly within the application for seamless integration with Keeper Security alert module. * Guided Setup to configure authentication, validate data ingestion, and ensure smooth end-to-end operation without manual coding. * Store incoming alerts in a custom import set table and automatically transform them into Security Incident Response (SIR) records using predefined mapping rules. * Provides custom priority mapping for Keeper Security alert types enabling SIR administrators to work on incidents on priority basis. ## Example Use Cases The integration with ServiceNow is flexible, allowing customers to assign any Keeper event to a SIR incident. Examples are below. #### Password BreachWatch In Keeper Vault 1. Trigger: BreachWatch has detected a record in the Keeper vault with a vulnerable password. 2. Action: An alert will be sent to ServiceNow webhook that contains the BreachWatch incident. 3. ServiceNow SIR: Keeper Security ITSM app will receive the alerts, checks for priority mapping and creates a Security Incident Response Ticket. 4. Result: SIR admins can audit, and work on the incident reported. #### Privileged User Behavior Monitoring 1. Trigger: An admin user created a new Team or new policy in Keeper Administrative account. 2. Action: An alert will be sent to ServiceNow webhook that contains the incident information. 3. ServiceNow SIR: Keeper Security ITSM app will receive the alerts, checks for priority mapping and creates a Security Incident Response Ticket. 4. Result: SIR admins can audit, and work on the incident reported. ## Prerequisites * Alerts configurations in Keeper Admin Console * Security Incident Respon*s*e `sn_si` module in ServiceNow ## Roles Required In ServiceNow | Application Menu | Required Roles | | -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | |
  1. Guided Setup
|
  1. admin
  2. x\_keese\_keeper\_sec.guided\_setup\_user
| |
  1. Keeper Security Alerts - Import
|
  1. x\_keese\_keeper\_sec.ks\_incidents
| |
  1. Keeper Security Incident
|
  1. x\_keese\_keeper\_sec.ks\_incidents
  2. sn\_si.admin
| |
  1. Application Logs
  2. Support Page
  3. App Privacy Policy
|
  1. workflow\_admin
  2. x\_keese\_keeper\_sec.support\_user
| ## Configuration Instructions ### Configuring the application in ServiceNow To Configure the Keeper Security ITSM App for ServiceNow on the ServiceNow platform, perform the following steps 1. Log in to the ServiceNow instance using your Administrator privileges. 2. Navigate to the **All tab** > Search for **Keeper Security Ticketing** > **Guided Setup**
3. Click on **create a ServiceNow integration account** > **Configure** 4. Enter the User ID and click on the **Internal Integration User** checkbox. Once a user is created, click on the created user and then click on **set password**. Provide the role as `x_keese_keeper_sec.keeper_security_app`
5. In Guided Setup, click **configure** on the section **Create System OAuth Application Registry** > Click on **New** > **Create an OAuth API** endpoint for external clients
6. **Create an OAuth registry** and fill the form with required fields.
7. In Guided Setup, click **configure** on the section **Select your credentials for generating token** > Click on **New**
8. Once the form is filled correctly you can use the Auth token and webhook URL to configure alerts in the Keeper Admin Console.
### Configuring alerts in the Keeper Admin Console 1. Login to **Keeper Admin Console** > Click on **Reporting and Alerts** > **Alerts** 2. Enter the Alert Name as **ServiceNow Alerts**
3. Click on **Add Recipient** > **Add Webhook** 4. Enter the **URL** and **Token** received on Step 5 of configuring the app in ServiceNow
5. Click on **Save**. Now, Keeper Security will send the alerts to the ServiceNow instance via Webhook URL and the token we used. 6. To view security incidents in ServiceNow, navigate to **All tab** > Search for **Keeper Security Ticketing** > **Keeper Security Incidents**
7. Users can also get complete details of additional alert payload received from Keeper in the **Security Incident Form** as below.
### Configuring Keeper Alert Priority Levels In Guided Setup, You can configure the priority levels for Keeper Security Event Types. This allows you to map Keeper events to ServiceNow incident priority levels.
## Testing the configuration Users can send an alert after configuration and can check Keeper Security Alerts - Import table - if a new entry shows there, this marks the successful connection establishment. ## Troubleshooting In case of a new Event Type introduced by Keeper, users can configure and add that new Event Type in the `sys_choice` table. Please follow steps below in case of such events: 1. In **All**, search for **System Definition**, and **Choice Lists**.
2. Click **New**, then below form will appear
* Choose Table as - **Keeper Security Events Types.** * Choose Element as - **Keeper Security Event Types.** * In Label, you can enter the name of the New Event Type. * In Value, you have to enter the value that the category field contained in the alert payload for that new event type.
3. Once done, Click submit. 4. Head over to the Guided setup and then configure the priority for the new Event Type you just created. ## Supported Alerts The integration supports over 300 detailed Keeper Security event types as described in the table below. {% embed url="" %} Supported Event Types from Keeper Security to ServiceNow ITSM {% endembed %}