Friday, 27 September 2019

ServiceNow Discovery vs Service Mapping and use of Event Management

Hi Developers,
Today I thought of sharing some knowledge on Service Mapping  vs Discovery and use of Event Management.
Single word Explanation : 
Discovery : - Horizontal Approach to discover Infrastructure.
Service Mapping : - Vertical (Top-Down) Approach   to discover Infrastructure.
Event Management : - Helps you to identify health issues across the Infrastructure on a single management console. 
Discovery uses horizontal approach to discovery IT infrastructure and applications connected to each other using protocol like TCP / IP / SNMP etc.
Discovery uses IP address or range of IP address to discover the target host / node or CI (Configuration Item) , To discovery mentioned hosts, a set of credentials will be required which can be saved in credential table in ServiceNow. Discovery uses four phase to fully discovery any IP or CI which include Port Scan , Classification, Identification and Exploration.
Once a IP is discovered, this process creates a record in CMDB (cmdb_ci) table. If CI already exist in ServiceNow CMDB table then it will update it with new information.
Discovery can also be configured to identify dependencies between applications, creating application dependency maps that can be graphically viewed in Dependency Views.
Service Mapping:
As said earlier Service Mapping works on Top-Down or Vertical approach to map all the CI (Configuration Item) to build a Business Service Map.
The difference between Service Mapping and Discovery is that Service Mapping only discovers the infrastructure and applications directly supporting a business service and maps their relationships.   Discovery on the other hand discovers all the infrastructure and applications it can find but does not relate anything to business services .
Service Mapping checks CMDB table first to find the IP or CI if it does not find then it starts Discovery process to identify or classify the IP/CI.
Service maps created by Service Mapping are often used for impact analysis in incident and change management - for example, you may be planning to upgrade a database server and you want to understand which business services would be impacted by the change.

Event Management : 
The Event Management application consolidates events integrated from different monitoring tools (e.g. SCOM, Nagios, SolarWinds, etc),
It processes the events to produce alerts.   Alerts can be [automatically] related to CI's and if the CI's are related to business services then the severity of the alerts can be used to detect the impact on the business services.  
Event Management helps to show incoming alerts according to their severity E.G. Critical, Major, Minor etc. This again display them with color.
To show any Service Map on the Event Management Dashboard you will have to make Service Map status as Operational.

Microsoft System Center Orchestrator and ServiceNow Integration using KELVERION

Hi There, 
Today I thought of sharing little information on the integration between ServiceNow and System Center using kelverion.
Note:  You have to buy KELVERION license to implement this. To know more about pricing please contact KELVERION.
  • Insert Record – activity dynamically creates new ServiceNow records using standard or customized ServiceNow forms
  • Get Record – activity returns records meeting specific filter conditions
  • Update Record – activity updates specific records
  • Delete Record – activity deletes specific records
  • Monitor Record – monitor for new or updated ServiceNow records
  • Upload Attachment – activity uploads attachment to ServiceNow record
  • Download Attachment – activity downloads attachment from ServiceNow record
  • Import Set – activity inserts a record into a ServiceNow import set table
  • Run Query – retrieves records from a ServiceNow table using a ServiceNow encoded query string
  • Run Scripted Web Service – runs a ServiceNow scripted web service (Only in SOAP IP)
  • Get Count – returns the number of records meeting specific filter conditions (Only in the REST IP)

    Request overview diagram : 
    Technical specification: 
    System Requirements
    The Integration Pack for ServiceNow requires the following software to be installed and configured before you deploy the integration. For more information about how to install and configure the Orchestrator, see the respective documentation.
    1. Microsoft System Center Orchestrator *
    2. Microsoft .NET Framework 4.5.2
    3. ServiceNow Madrid or London
    The Kelverion Integration Pack for ServiceNow uses DotNetZip, which is an open source code library used to manipulate zip files. The DotNetZip code library is distributed under the Microsoft Public License (Ms-PL) which is outlined in full at %COMMONPROGRAMFILES(X86)%\Microsoft System Center 2012\Orchestrator\Extensions\Support\Integration Toolkit\F5243EFD-AA78-4E3E-87A8-85A240467800\DotNetZip.rtf.

    Registering and Deploying the Integration Pack
     After you download the integration pack, you register the integration pack file with the Orchestrator management server, and then deploy it to runbook servers and computers that have the Runbook Designer installed.
     To register the integration pack: 
    1. On the management server, copy the .OIP file for the integration pack to a local hard drive or network share.
    2. Confirm that the file is not set to Read Only to prevent unregistering the integration pack at a later date.
    3. Start the Deployment Manager.
    4. In the navigation pane of the Deployment Manager, expand Orchestrator Management Server, right-click Integration Packs to select Register IP with the Orchestrator Management Server. The Integration Pack Registration Wizard
    5. Click Next.
    6. In the Select Integration Packs or Hotfixes dialog box, click Add.
    7. Locate the .OIP file that you copied locally from step 1, click Open and then click Next.
    8. In the Completing the Integration Pack Wizard dialog box, click Finish.
    9. On the End User Agreement dialog box, read the Kelverion License Termsand then click Accept.
    10. The Log Entries pane displays a confirmation message when the integration pack is successfully registered.
     To deploy the integration pack:
     In the navigation pane of the Deployment Manager, right-click Integration Packs, click Deploy IP to Runbook Server or Runbook Designer.
    1. Select the integration pack the you want to deploy, and then click Next.
    2. Enter the name of the runbook server or computers with the Runbook Designer installed, on which you want to deploy the integration pack, click Add, and then click Next.
    3. Continue to add additional runbook servers and computers running the Runbook Designer, on which you want to deploy the integration pack. Click Next
    1. In the Installation Options dialog box, configure the following settings.
    2. To choose a time to deploy the integration pack, select the Schedule installation check box, and then select the time and date from the Perform installation
    3. Click one of the following:
      1. Stop all running runbooks before installing the integration pack to stop all running runbooks before deploying the integration pack.
      2. Install the Integration Packs without stopping the running Runbooks to install the integration pack without stopping any running runbooks. 
    1. Click Next.
    2. In the Completing Integration Pack Deployment Wizard dialog box, Click Finish.
    3. When the integration pack is deployed, the Log Entries pane displays a confirmation message.
    Things to do at ServiceNow end:

Thursday, 25 April 2019

Email notification with all the variable of Catalog Item


Notifications keep users informed of events that concern them. The system can notify users by email, SMS text message, or push notification.
Creating an email notification involves specifying when to send it, who receives it, what it contains, and if it can be delivered in an email digest.


Requested For: ${sysapproval.request.requested_for}
Cost Center to be charged: ${sysapproval.request.requested_for.cost_center}

  var item = new GlideRecord("sc_req_item");
  item.addQuery("sys_id", current.sysapproval);
  if( {

      var keys = new Array();
      var set = new GlideappVariablePoolQuestionSet();
      var vs = set.getFlatQuestions();

      for (var i=0; i < vs.size(); i++) {
        if(vs.get(i).getLabel() == 'Website Cost (per year)') {
               template.print("Yearly cost for this website is " + vs.get(i).getDisplayValue() + ".\n");

    template.print("\nSummary of Requested item:\n\n");

     var set2 = new GlideappVariablePoolQuestionSet();
      var vs2 = set2.getFlatQuestions();

for (var x=0; x < vs2.size(); x++) {
    if(vs2.get(x).getLabel() != '') {
        if ( vs2.get(x).getDisplayValue() != "") {
            template.print('     ' +  vs2.get(x).getLabel() + " = " + vs2.get(x).getDisplayValue() + "\n");

Approval Activity:
<hr />
Click here to view Approval Request: ${URI}
Click here to view ${sysapproval.sys_class_name}:  ${sysapproval.URI}

Before, After, Async and Display Business Rules with Example


A business rule is JavaScript code which run when a record is displayed, inserted, updated, or deleted, or when a table is queried. Follow these guidelines to ensure that business rules work efficiently and to prevent unpredictable results and performance issues.

The When field on the business rule form indicates whether the business rule script runs before or after the current object is saved to the database. The most commonly used business rules are before and after rules. 
You can use an async business rule in place of an after business rule. Async business rules are similar to after rules in that they run after the database commits a change. Unlike after rules, async rules run in the background simultaneously with other processes. Async business rules allow ServiceNow to return control to the user sooner but may take longer to update related objects. 


First, I need to check that you not posting any offensive materials. I can have a before rule to check that. According to the rules setup by me, either allow or disallow the posting of the question (Transaction).


Second, after you have passed the rules of posting and posted the question successfully. Someone opens up your question and likes your question. I need to award you points once the like is successful. I can have a after business rule to set this up.


Third, you will need to get email trigger when someone comments on your question. It does not need to be immediate. I can have a async rule to trigger the email.


Finally, I need to update the number of views of your question. I can have a display business rule to update the counter related to your question ..

Thursday, 11 April 2019

Security Incident Response Setup / Configuration Understanding.

With Security Incident Response (SIR), manage the life cycle of your security incidents from initial analysis to containment, eradication, and recovery. Security Incident Response enables you to get a comprehensive understanding of incident response procedures performed by your analysts, and understand trends and bottlenecks in those procedures with analytic-driven dashboards and reporting.
Following are my understanding or observation from Security Incident Response.
Activate Security Incident Response
Security Incident Response activates these plugins
True/false indicates availability of plugin 
  • Service Management Core [com.snc.service_management.core]àtrue
  • Task-Outage Relationship [com.snc.task_outage] à true
  • Tree map [com.snc.treemap] àTrue
  • Threat Core [com.snc.threat.feeds] àFalse
  • Security Support Orchestration [com.snc.secops.orchestration] àTrue
  • Security Incident Response support [com.snc.security_support.sir]àFalse
  • WebKit HTML to PDF [com.snc.whtp] àTrue
  • Security Incident Analyst [] à True
  • Security Incident Response  [com.snc.security_incident] à True

Configure Security Incident Response
The options for configuring the applications are organized under Business Process, Assignment and Add-ons tabs.
There are few properties available under these tabs which allows to control the behavior of Security Incident
  • The Business Processtab contains options for setting up the request life cycle, creating catalogs and requests, and configuring notifications.
  • The Assignmenttab contains options for setting up manual and auto-assignment.
  • The Add-ons tab contains options for enabling the knowledge base, managed documents, and task activities.  
Optional setup steps include:
Create a Security Incident Response process definition
I have gone through the ServiceNow docs about it and tried reaching associates here regarding this process but it seems there is no definite process for S
Security Incident unlike Best Practice - Incident Resolution Workflow for Normal Incident
You can create a process definition to define the way security incidents transition from one state to the next. Process definitions give service desks and end users help tracking the problem throughout its life cycle
Before you begin
Role required: sn.si_admin
  • Navigate to Security Incident > Administration > Process Definition.
  • Click New.

Security incidents can be logged or created in the following ways:
  • From Security Incident form.
  • From events that are spawned internally, or created by external monitoring or vulnerability tracking systems via alert rules, or manually.
  • From external monitoring or tracking systems directly.
  • From the service catalog
Create a security incident group
  • If you have the user_admin role, you can create security incident assignment groups.
  • If you have the sn_si.admin role, you can create and edit security incident assignment groups.
  • Navigate to User Administration > Groups or Security Incident > Setup > Groups
    • Fill all the information as required
  • I have tested this by creating a group name “SIR WalkThrough” in my PI.
  • In the Roles related list, add the roles that each member of this group receives.
  • For example, if you are making a group for Security Incident Response team members, add sn_si.analyst. If you are making a group for Security Incident Response administrators, add sn_si.admin
 Create a Security Incident Response SLA
  • This can be configured based on the requirement we have.
  • Navigate to Security Incident > Setup > SLAs
 Create a Security Incident Response runbook
  • Navigate to Security IncidentManual RunbookCreate New Runbook
  • We need to have knowledge base articles in the Security Incident ResponseRunbook knowledge base
We can achieve that by adding Security Incident Response Runbook in Knowledge Base

I have found few important terminology below in Security Incident Response, Try to have these in mind when you are going to start it.
Scoring in security incident
The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.
Following business rules trigger automatic calculation of risk scores:
  • Calculate Severity
  • Update risk score
  • Update SI risk score

Note: The risk score is calculated using weights defined in Risk score configuration


If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:
Security Incident Business Impact with a value of 2 = a weight of 60.
Security Incident Priority with a value of 3 = a weight of 40.
60 + 40/2 = a risk score of 50.

  • The work notes are updated when the following fields are changed (causing the risk score to be updated):
    • Business impacton the Security Incident form
    • Priorityon the Security Incident form
    • Severityon the Security Incident form (hidden by default)
    • Business impacton the Affected Users related list
    • Business impacton the Affected Services related list
    • Business impacton vulnerabilities on the Vulnerable items related list

Risk score override
Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes
You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated
Secure notes
  • Click the lock icon to unlock the field, enter work notes that are visible to the security users, and click the icon again to lock it.
  • The work notes that are encrypted and not visible to the customer.
Read access
  • Gives a user with the special accessrole read access to the security incident. The user is able to read and write work notes.

Privileged access
Gives a user with the special access role read and write access to all fields of the security incident except Assigned to. Users with special access roles have their own module containing all security incidents assigned to them. No other modules are available to them. No one else can see the Visible to Me module
  • If a user is added to both Read accessand Privileged accesslists, then only
the Privileged access permissions persist
  • Only an assigned user or someone with a security role (for example, sn_si_analyst or sn_si.admin) can change the Assigned to

SIR Lifecycle
Draft à Analysis à Contain à Eradicate à Recover à Review à Closed
  • Normally it will follow NIST process but you can jump or skip one or two state and directly go for Recover or Review.
  • We can’t close any Security Incident until we complete or close all the related tasks.
  • We can close Security Incident after contain state before that we don’t even have option to close it.
  • Assignment Group and Assignee are auto populating as one workflow (Assignment Workflow for SM) is running behind which is checking skill based resource and assigning the incident to him.
  • We can cancel Security Incident from button that appears on header when state changes from Draft to Analysis
  • But I could fine cancelled state for response task.
    • Ready à Assigned à Work In Progress à Complete à Cancelled
Reference Link:

Service Mapping Exam Preparation Part 2

1.       What we can do to prevent a step from running
a.       Use Pre-conditions which fails

2.       What are the 3 sections in a pattern?
a.       Identification, Extension and Connection

3.       When Service mapping discovers a CI, what is the Discovery Source?
a.       Servicewatch

4.       Best Practice of Identification rule?
a.       Identify the application-> Fill all criterion attributes->Fill all mandatory attributes-> Fill all attributes asked by the customer

5.       What happens when the host mentioned in the SaCmdManager console is not present in CMDB
a.       It starts horizontal discovery for that host

6.       Max number of CIs we should have in a Business Service?
a.       50

7.       If we populate a variable in an Identification Rule, where all we can use that variable?
a.       In all the steps after that step and in all the connections of that pattern

8.       What is needed to discover load balancer
a.       Management IP

9.       What we can do to prevent an Identification rule/Connection from running
a.       Using a Match operation in the beginning which fails

10.   What does an error on the map look like?
a.       Yellow Triangle

11.   How do you auto create incidents in event management?
a.       Alert Rules

12.   How do you create an alert in event management?
a.       Event Correlation Rule

13.   What is the relationship between application server and application?
a.       Who is parent and who is child

14.   What does represent?
a.       At least 1 business service where users can access loans, checking, saving, mortagages

15.   What happens when the entry point host couldn’t be discovered?
a.       The Service mapping stops until the discovery can be successful

16.   What is the correct flow?
a.       Host Detection-->Process Detection-->Application Identification-->Application Connection

17.   How does MID server communicate with the ServiceNow instance?
a.       Initiates over HTTPS