Adding a ServiceNow CMDB Connector will pull data from the CMDB CI table. The user in the Cisco Vulnerability Management connector must have access (read or read/write) to this table and all the associated fields.
If your ServiceNow CMDB instance is large, Cisco recommends that you filter the results before attempting to run the connector for the first time. You can request that Cisco support use a basic filter (u_retired=false^u_active=true) or a more advanced filter if you know a specific device type you want to bring in such as "servers only".
When you are configuring your connector in Cisco Vulnerability Management, you can determine if you want assets activated using the value of the Retired field in the CMDB instead of using the Asset Settings that Cisco Vulnerability Management provides. Note: Scanners will show assets as active until the scanner no longer finds them on the network. The Retired field is not explicitly tied to the network unless you have policies in place to ensure this. Cisco recommends choosing a single source of truth to determine asset status (active/inactive). If you choose to have the CMDB Retired field as the source of truth, you should not enable the Asset Settings to avoid assets switching between active and inactive status.
You can also use the connector to access the Criticality rating in ServiceNow and use that value to determine Asset Priority values in Cisco Vulnerability Management. See Asset Scoring for additional information on how this will effect asset scores in Cisco Vulnerability Management. This data is pulled from cmdb_ci_service in the busines_criticality column which has values from 1 (high) to 4 (low) by default. If the link between Assets and Business Services is not present, this feature will not be available and no criticality rating will appear in the connector dialog.
Configuring your Connector in Cisco Vulnerability Management
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Discovery section, click ServiceNow CMDB.
4. On the ServiceNow CMDB page, enter the following information:
- Name: Enter a name for the connector, or leave it as ServiceNow CMDB.
- Enter the Username and Password of the account that you're using.
- Host: Enter the host name.
- Use Virtual Tunnel: Select this option if your deployment uses the Virtual Tunnel.
- Mark Retired Assets as Inactive: Select this option if you want assets activated using the value of the Retired field in the CMDB instead of using the Asset Settings provided by Cisco Vulnerability Management.
- Set Asset Priority From Business Service Criticality: Select this option if you want the connector to access the Criticality rating in ServiceNow and use that value to determine Asset Priority values in Cisco Vulnerability Management. The values range from 1 (high) to 4 (low) by default.
- Schedule: Select the frequency that you’d like your Connector to run.
5. Click Save and Verify.
Default Data Processing
Items converted to Cisco Vulnerability Management Tags:
- asset
- asset_tag
- manufacturer
- model_id
- location
Owner field in Cisco Vulnerability Management is populated by the "managed_by" CMDB field
Additional Tagging Options
If you have additional data in the CMDB which you would like added as tag data in Cisco Vulnerability Management, provide those ServiceNow field names (export an XML file to see the actual column names) to support and they will add the list of field to the connector on the back end. All provided fields will be used to create tags in Cisco Vulnerability Management.
Advanced Options
Default fields used for Asset matching:
- name = hostname
- ip_address = ip address
- mac_address = mac address
- fqdn = fully qualified domain name
- sys_id or customer defined id = External ID (only defined if ServiceNow asset ID is to be pulled in as the overarching ID for Assets. Example source field: sys_id. External ID should be removed from all other connectors to prevent overriding of the value with vulnerability scanner host ids)
Locator field names can be changed via back-end settings if CMDB fields do not match the defaults. It is a good idea to look at how names are being pulled into Cisco Vulnerability Management from the network scanner before completing this mapping to ensure asset matching. For example:
| Platform | Field | Value |
| Kenna | hostname | MYHOSTNAME |
| SNOW CMDB | name | myhostname |
| SNOW CMDB | host_name | MYHOSTNAME |
To ensure asset matching you should pull SNOW host_name into Cisco Vulnerability Management.
Filtering CMDB Data
Cisco Vulnerability Management can filter your CMDB data in two ways:
- ServiceNow CMDB Database View
- Query Filtering
ServiceNow Database View
ServiceNow can create database views. These views can be used to filter the data or combined the data from multiple tables within your ServiceNow CMDB. Cisco Vulnerability Management can redirect the CMDB connector to use your custom database view. Consult with your internal ServiceNow resources to develop any custom database views.
Query Filter
Cisco Vulnerability Management's CMDB connector can filter your CMDB data using a filter that you can build in your ServiceNow CMDB. Use the following instructions to build your query and then send it to your Cisco CSE to apply.
Generating the query string from within ServiceNow CMDB
- Open you ServiceNow CMDB system.
- Type “cmdb_ci.list” in the Filter Navigation box at the top left of the window, and press Enter
- Click the Filter Funnel and apply the desired filters.
- After running the query, you will see a list of bread crumbs in blue with a link. Right-click on the end term and you will get the option for copying the URL or Query.
- Select Query.
- Send this to Cisco to be applied to your CMDB connector
Comments
Please sign in to leave a comment.