Creating a ServiceNow webhook notification when new high-severity vulnerabilities are detected
Using the WebSphere Automation Swagger UI, the JSONata Exerciser, and Mustache syntax, create a process that sends a notification to a webhook. The notification contains the details of any newly created, high-severity vulnerabilities that WebSphere Automation detects.
Before you begin
- Open a web browser to http://www.servicenow.com
. - Click Get Started, then click Start developing.
- Click Sign up and Start Building.
- Complete the form to sign up for a ServiceNow ID and click Sign up.
You are assigned a developer ID. Your developer instance hostname is similar to the following address:
<YOUR_SERVICENOW_DEVELOPER_ID>.service-now.com
If you plan to implement variables or conditional processing, make sure that you are
familiar with Mustache syntax
.
Examining the WebSphere Automation resource notification
The expected result of this tutorial is that a ServiceNow incident table displays information
that is passed from newly created, high-severity resource notifications in WebSphere Automation. For this tutorial, the resource notification contains
the details for the creation of a new vulnerability record when a new vulnerability is detected in a
managed server. In the following example resource notification, the value of the
type parameter is create; the object that is created is a
vulnerability.
{
"type": "CREATE",
"vulnerability": {
"id": "70357d34-411d-3321-a60f-ede653897a55",
"name": "6557248 : server1@defected1.example.com",
"description": "Multiple vulnerabilities exist in the Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) library used by IBM WebSphere Application Server in the Admin Console and UDDI Registry application. The same Apache library is also used by the IBM WebSphere Application Server Liberty for z/OS in features zosConnect-1.0 and zosConnect-1.2. All vulnerabilities have been addressed previously by removing all existing Apache Log4j versions.",
"assetId": "1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"securityBulletinId": "23c15e59-1ef9-3eb5-a175-0845597cdbc1",
"resolved": false,
"cves": [
{
"id": "CVE-2022-23302",
"description": "Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.",
"cvssBaseScore": 8.8
},
{
"id": "CVE-2022-23305",
"description": "Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.",
"cvssBaseScore": 6.5
},
{
"id": "CVE-2022-23307",
"description": "Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.",
"cvssBaseScore": 9.8
}
],
"remediations": [
{
"startVersion": "9.0.0.0",
"endVersion": "9.0.5.10",
"operator": "OR",
"iFixes": [
"PH42762"
],
"fixPack": "9.0.5.11",
"additionalInstallationInstructions": "https://www.ibm.com/support/pages/node/6557248"
}
],
"links": {
"self": {
"rel": "self",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/vulnerabilities/70357d34-411d-3321-a60f-ede653897a55",
"type": "application/json",
"title": "self"
},
"asset": {
"rel": "related",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/assets/1a5d141a-3294-3ff3-9182-5ae1d4f3465d",
"type": "application/json",
"title": "asset"
},
"securityBulletin": {
"rel": "related",
"href": "https://cpd-websphere-automation.apps.wsa-412.example.com/bulletins/23c15e59-1ef9-3eb5-a175-0845597cdbc1",
"type": "application/json",
"title": "securityBulletin"
}
},
"created": "2023-05-17T10:10:29Z",
"createdBy": "vulnerability-manager",
"updated": "2023-05-17T10:10:29Z",
"updatedBy": "vulnerability-manager",
"secondsExposed": 1379
}
}Information that is of interest includes the CVE IDs, the CVSS scores, the affected server, the description of the vulnerability, and the URL of the security bulletin.
Defining the process and the expected result
The result is to have a webhook target receive information about new high-severity CVEs, and to display that information in a row of an incident table.
- Open a web browser to your ServiceNow developer
instance.
https://<YOUR_SERVICENOW_DEVELOPER_ID>.service-now.com/now/nav/ui/classic/params/target/ui_page.do - Access the ServiceNow REST API Explorer by clicking
.
For more information, see the ServiceNow REST API Explorer documentation
. - In the REST API Explorer, set the API Name to
TableAPIand click Create a record (POST). - In the Table API page, in the Prepare request
section, set the value of the tableName field to
Incident (incident). - In the Request body section, click Add field and
add the following parameters and values to the incident table. Use static values to test the ServiceNow POST
operation.
Field Value State 1Impact test_impact_valueUrgency test_urgency_valueShort description WebSphere Automation detected a vulnerability for test_cveId_value with a CVSS base score of test_cvssBaseScore on test_server on test_hostnameDescription test_descriptionWork notes Security Bulletin: test_bulletinUrlCategory SoftwareAssignment group (This alphanumeric is a ServiceNow artifact; get the value from your ServiceNow account.) - Click Send.
In the Request section, the Request body field shows the request body in comma-separated JSON notation.
{"state":"1","impact":"test_impact_value","urgency":"test_urgency_value","short_description":"WebSphere Automation detected a vulnerability for test_cveId_value with a CVSS base score of test_cvssBaseScore on test_server on test_hostname","description":"test_description","work_notes": "Security Bulletin: test_bulletinUrl","category":"Software","assignment_group":" ... "}This request body is used in the webhook action in a later step to pass data from WebSphere Automation to ServiceNow.
Also, make note of the value of the HTTP Method / URI parameter. The URI is the target URL that the WebSphere Automation webhook action requires.
https://<YOUR_SERVICENOW_DEVELOPER_ID>.service-now.com/api/now/table/incident
Setting up the webhook action
Use the WebSphere Automation Swagger UI to create a webhook action. For more information, see creating a webhook action.
Set the value of the body parameter to a comma-separated list of the key/value pairs that you created for the incident table. Quotation marks in the value of the body parameter must be escaped with the backslash character. Use the Mustache notation (double curly braces) for the variable names that you created.
{
"name": "ServiceNow Incident Action",
"description": "Creates incidents in ServiceNow when triggered",
"type": "webhook",
"enabled": true,
"configuration": {
"targetUrl": "https://<YOUR_SERVICENOW_DEVELOPER_ID>.service-now.com/api/now/table/incident",
"method": "POST",
"contentType": "application/json",
"user": "<YOUR_SERVICENOW_DEVELOPER_INSTANCE_USER_ID>",
"password": "<YOUR_SERVICENOW_DEVELOPER_INSTANCE_PASSWORD>",
"headers": [
{
"name": "Accept",
"value": "application/json"
}
],
"body": "{ \"state\": \"1\", \"impact\": \"test_impact_value\", \"urgency\": \"test_urgency_value\", \"short_description\":\"WebSphere Automation detected a vulnerability for test_cveId_value with a CVSS base score of test_cvssBaseScore on test_server on test_hostname\", \"description\":\"test_description\", \"work_notes\": \"Security Bulletin: test_bulletinUrl\", \"category\":\"Software\", \"assignment_group\":\"8a4dde73c6112278017a6a4baf547aa7\" }"
}
}Testing the webhook action
To test the webhook action, open the WebSphere Automation Swagger UI and use the PATCH /action/{actionId} control to pass hard-coded values to the ServiceNow developer instance. For more information, see Creating an action.
Enter the action ID into the actionId text field. Use the actionId value that ServiceNow assigned the webhook when you created it.
Enter the following JSON code into the Request body field:
{
"operation": "invoke-action",
"variables": {
"impact": "1",
"urgency": "1",
"cveId": "CVE-2021-44228",
"cvssBaseScore": "10",
"isJdk": false,
"serverName": "server1",
"hostName": "defected1.example.com ",
"description": "My hardcoded test description",
"bulletinUrl": "https://www.ibm.com/support/pages/node/6525706"
}
}Click Execute.
Ensure that the server response code has a value of 200. A successful response
also has "successful": true in the response body.
Open the incident table in your developer instance on ServiceNow and confirm that a new entry is created.
Creating the resource trigger
Follow instructions to create a resource trigger. Refer to the following example resource trigger.
Set the value of the actionId parameter to the action ID that is assigned to the action by the Swagger UI.
In the variableMappings section, create variables matching those that are
defined in the action and incident table. For each variable, create JSONata expressions that
evaluate to a booleanhttps://try.jsonata.org/ or
to a value that you want to pass to the webhook. The condition parameter also
can be set to a boolean JSONata expression. Use the JSONata Exerciser at to check your expressions
against the JSON definition of the resource notification.
{
"name": "Vulnerability Created Trigger",
"description": "Triggers the action when a vulnerability with a CVE that has a CVSS base score greater than 9 is created.",
"actionId": "<YOUR_ACTION_ID>",
"type": "resource",
"enabled": true,
"configuration": {
"resourceType": "vulnerability",
"operation": "create"
},
"condition": "$count(vulnerability.cves[cvssBaseScore > 9 ]) > 0",
"variableMappings": {
"impact": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); $maxCvssBaseScore > 0 and $maxCvssBaseScore <= 4.9 ? '3' : ($maxCvssBaseScore >= 5 and $maxCvssBaseScore <= 7.4 ? '2' : '1'))",
"urgency": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); $maxCvssBaseScore > 0 and $maxCvssBaseScore <= 4.9 ? '3' : ($maxCvssBaseScore >= 5 and $maxCvssBaseScore <= 7.4 ? '2' : '1'))",
"cveId": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); vulnerability.cves[cvssBaseScore = $maxCvssBaseScore][0].id)",
"cvssBaseScore": "$number($max(vulnerability.cves.cvssBaseScore))",
"isJdk": "$asset.type = 'jdk'",
"productName": "$asset.productName",
"serverName": "$asset.serverName",
"hostName": "$asset.hostName",
"description": "($maxCvssBaseScore := $max(vulnerability.cves.cvssBaseScore); vulnerability.cves[cvssBaseScore = $maxCvssBaseScore][0].description)",
"bulletinUrl": "$bulletin.url"
}
}Descriptions for the various JSONata expressions are as follows.
- impact: Set to a value of
3if the highest CVSS score (cvssBaseScore) from the resource notification is between 0 and 4.9,2for between 5 and 7.4, and1otherwise. - urgency: Same value as for impact.
- cveId: The CVE ID for the CVE in the resource notification with the highest CVSS score.
- cvssBaseScore: The highest CVSS score of the CVEs in the resource notification.
- description: the description of the CVE in the resource notification that has the highest CVSS score.
The following variables use context variables. For more information, see Trigger resource.
- isJdk: a boolean that evaluates to
trueif the CVE is set as affecting the Java Developer Kit. - productName: the name of the product with the vulnerability.
- servername: the name of the server with the vulnerability.
- hostname: the hostname of the runtime with the vulnerability.
- bulletinUrl: the URL for the security bulletin for the vulnerability.
Enable the resource trigger by using the Swagger UI to run its JSON code. For more information, see Creating a resource trigger.