Console
    Contact Us Start free

    Collect ServiceNow Security logs

    Supported in:

    Overview

    This parser extracts security event data from ServiceNow JSON logs, mapping relevant fields to the UDM. It handles various event types like logins and permission changes, populating principal/target user information, IP addresses, and metadata like vendor and product details.

    Before you begin

    Ensure that you have the following prerequisites:

    • Google SecOps instance.
    • Privileged access to ServiceNow Security.

    Set up feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, ServiceNow Security Logs.
    5. Select Webhookas the Source type.
    6. Select ServiceNow Securityas the Log type.
    7. Click Next.
    8. Optional: Specify values for the following input parameters:
      • Split delimiter: the delimiter that is used to separate log lines, such as \n .
    9. Click Next.
    10. Review the feed configuration in the Finalizescreen, and then click Submit.
    11. Click Generate Secret Keyto generate a secret key to authenticate this feed.
    12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
    13. From the Detailstab, copy the feed endpoint URL from the Endpoint Informationfield. You need to specify this endpoint URL in your client application.
    14. Click Done.

    Create an API key for the webhook feed

    1. Go to Google Cloud console > Credentials.

      Go to Credentials

    2. Click Create credentials, and then select API key.

    3. Restrict the API key access to the Google Security Operations API.

    Specify the endpoint URL

    1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

    2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

       X-goog-api-key = API_KEY 
X-Webhook-Access-Key = SECRET

      Recommendation: Specify the API key as a header instead of specifying it in the URL.

    3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

        ENDPOINT_URL 
?key= API_KEY 
&secret= SECRET

      Replace the following:

      • ENDPOINT_URL : the feed endpoint URL.
      • API_KEY : the API key to authenticate to Google SecOps.
      • SECRET : the secret key that you generated to authenticate the feed.

    Configure Webhook in ServiceNow

    1. Sign in to ServiceNow Security with privileged account.
    2. Go to Configuration > Monitoring > Connections.
    3. Click add .
    4. Select Webhook.
    5. Specify values for the following parameters:
      • Name: Provide a descriptive name for the webhook (for example, Google SecOps).
      • URL: Enter the Google SecOps ENDPOINT_URLwith API_KEYand SECRET.
    6. Click Saveto complete the webhook configuration.

    UDM Mapping

    Log field UDM mapping Logic
    created_by
    		 target.user.userid Mapped to target.user.userid if snc_user is empty.
    event
    		 metadata.product_event_type Directly mapped from the raw log field "event".
    event_created
    		 metadata.event_timestamp.seconds Converted to seconds from the raw log field "event_created" using the date filter.
    ip_address
    		 principal.ip Directly mapped from the raw log field "ip_address" if not empty.
    snc_user
    		 target.user.userid Directly mapped from the raw log field "snc_user" if not empty.
    user
    		 principal.user.userid Directly mapped from the raw log field "user" if not empty or "null".
    		extensions.auth.type Set to "MACHINE" if the event field is "Failed Login", "SNC Login", "Admin Login", or "Impersonation".
    		metadata.event_type Set to "USER_LOGIN" if the event field is "Failed Login", "SNC Login", "Admin Login", or "Impersonation". Set to "USER_CHANGE_PERMISSIONS" if the event field is "Security Elevation".
    		metadata.log_type Hardcoded to "SERVICENOW_SECURITY".
    		metadata.product_name Hardcoded to "SERVICENOW_SECURITY".
    		metadata.vendor_name Hardcoded to "SERVICENOW".
    		principal.user.userid Set to "UNKNOWN" if the user field is empty or "null".

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: