AgileSec ServiceNow VR | Keyfactor Docs

An overview of the AgileSec ServiceNow Integration, including architecture and functionality.

The AgileSec ServiceNow Integration, InfoSec Global (ISG) AgileSec Analytics Integration for Vulnerability Response Module, allows organizations to automatically ingest, normalize, and enrich cryptographic vulnerabilities and alerts discovered by AgileSec, making them actionable within the ServiceNow (SNOW) platform.

The following guides are available to leverage the capabilities of AgileSec and ServiceNow Vulnerability Response Module:

AgileSec ServiceNow VR: Deployment
A startup guide to deployment and basic configuration of the AgileSec ServiceNow VR Integration (ISG AgileSec Analytics Integration for ServiceNow Vulnerability Response Module) within your ServiceNow instance.
AgileSec ServiceNow VR: Configuration
Post-deployment configuration for the AgileSec ServiceNow VR Integration.
AgileSec ServiceNow VR: Operations
Navigate using the AgileSec ServiceNow VR Integration to create and investigate cryptographic vulnerabilities, vulnerable items, and detections within ServiceNow.
AgileSec ServiceNow VR: OpenSearch OAuth2 Setup
Set up OpenSearch Security to accept OAuth2 Bearer tokens issued by Microsoft Entra ID and map those tokens to an OpenSearch role with permissions scoped to alert indexes.

Integration Overview

The key goals of the Integration between AgileSec and ServiceNow (SNOW) are the following:

Integrate AgileSec Analytics with SNOW Vulnerability Response Module. Enable the integration to synchronize cryptographic vulnerabilities detected within AgileSec with the ServiceNow Vulnerability Response Module.
List Cryptographic Vulnerabilities. Create a list of cryptographic vulnerabilities in SNOW identified by AgileSec Analytics with an Enterprise digital ecosystem.
List Cryptographic Vulnerable Items. Create a list of Vulnerable Items in SNOW affected by the Cryptographic Vulnerabilities detected by AgileSec Analytics.
List Cryptographic Detections. Create the list of detections in SNOW impacted by the Cryptographic Vulnerabilities detected by AgileSec.

Architecture

The following components are required for the AgileSec ServiceNow Integration:

Running instance of AgileSec:
1. Compatible AgileSec Versions: Version 2.2.0 and above of AgileSec Analytics
2. ISG/AgileSec Alerting Module must be enabled
3. AgileSec SNOW Connector must be correctly configured and deployed
Running instance of SNOW:
1. Compatible SNOW Versions: Utah or Vancouver
2. Vulnerability Response Module must be installed in ServiceNow

AgileSec

Backend AgileSec platform component running within company premises. The following components are involved in the integration:

AgileSec Findings is a data store containing raw information collected by AgileSec Sensors across a digital infrastructure. This would include all cryptographic objects, including X509 Certificates, Cryptographic Keys and Cryptographic Libraries.
AgileSec Policy is a process which identifies cryptographic vulnerabilities within the AgileSec Findings. The policy is also used to enrich the AgileSec Findings based on contextual information and attribute a cryptographic scorecard to the findings.
AgileSec Alerts is a module including only specific AgileSec Findings matching specific criteria and specific policies. Alerts are used to provide additional contextual information on the cryptographic issue and the remediation path.
AgileSec API is a process enabling 3^rd party systems to query AgileSec Alerts for AgileSec Findings. The API is flexible and enables retrieval of the list of cryptographic vulnerabilities and associated cryptographic vulnerability objects. The API is used by the SNOW Connector to import information.

SNOW

SaaS component running within the SNOW network infrastructure. The following components are involved in the integration:

SNOW Vulnerability Response Module is a standard component of SNOW used to report the following information:
- Vulnerabilities
- Vulnerability Items
- Vulnerabilities Detection
AgileSec SNOW Connector (InfoSec Global (ISG) AgileSec Analytics Integration for Vulnerability Response Module) is the AgileSec custom plugin for SNOW running as a scheduled task within the SNOW instance. The Connector is used to query AgileSec’s API at a given schedule to perform the following actions:
- Get aggregation of Vulnerabilities from AgileSec Analytics.
- Get list of Alerts from AgileSec Analytics
- Create third party Vulnerabilities in SNOW
- Create Vulnerability Items in SNOW
- Create Vulnerabilities Detection in SNOW
SNOW MID Server is a SNOW server component usually deployed within a corporate network used to relay communications from the SNOW SaaS infrastructure and an on-premises environment. The MID server is not represented in the schema.

Security

The following network configuration is required for the solution:

Network communications. Collecting Findings in AgileSec Analytics.
1. Port: 443
2. Protocol: HTTPS
3. Direction: From SNOW Server to AgileSec Analytics Server (via SNOW MID server)
4. Authentication: Basic
AgileSec API Authentication. The authentication to the AgileSec API is made using credentials set in SNOW.
- Note: API Authentication instructions are provided in AgileSec ServiceNow VR: Deployment.

Limitations

Note the ServiceNow Vulnerability Response is designed to report network-based vulnerabilities and not file-based vulnerabilities. The integration leverages the default SNOW field to report information and is therefore subject to the following limitations:

There are no specific fields for handling the file path impacted by the cryptographic vulnerability. For this reason, the Integration repurposes the protocol field to extend support for file information.
The default network fields are not always relevant, especially when the detection is associated with a file-based cryptographic vulnerability.