Extracting security logs from ServiceNow into SIEM tool

Andy93
Tera Contributor

I am looking for some advice on extracting security logs from ServiceNow into our SIEM tool. We are looking to integrate via API to pull the logs from ServiceNow. An example of what events our security team are looking for is below:

  • Account Successful Login Event
  • Account Unsuccessful Login Event
  • Account Successful Logoff
    • Include user to system and system to system login events
  • Account Management
    • If a security group is created, modified, deleted. When a user is renamed, disabled or enabled.
  • Directory Service Access
  • Audit Policy Change
    • When user rights assignment policies change
  • Audit Privileged Use
  • System events
    • A generic catch all, though interesting would be system time changes, audit log deletions, and similar.
  • Credential Validation
    • The results of validations tests on credentials submitted for a user account. e.g. for MFA would be useful. Is a user entering correct username/password and incorrect token?
  • Authorisation Policy Change
    • Changes in authorisation policy for example permission changes in ACLs

We are planning on integrating ServiceNow with the SIEM tool to automate the access to logs, but I need to provide access to the correct log tables in ServiceNow. The syslog table does not provide an easy way to filter and identify just security/ audit related events, that could be pulled. I know there is the instance security center that ServiceNow provides which reports on some of this, but our Security team need real-time access to the raw logs, rather than the calculated metrics that are provided in the instance security center.

Please can you let me know what the best practice is for this?

3 REPLIES 3

Tim Boswell
ServiceNow Employee
ServiceNow Employee

Hello Andy,

Have you tried looking through this document to see if this has the information you are looking for:

https://www.servicenow.co.it/content/dam/servicenow-assets/public/en-us/doc-type/success/playbook/instance-security-best-practice.pdf

 

 

Community Alums
Not applicable

Did you ever find a good solution for this? If yes, would you mind sharing it?

kmccathran
ServiceNow Employee
ServiceNow Employee

Andy, 

The tool you are looking for is the Log Export Service (LES) which allows exporting logs from your instance using the Hermes Messaging Service built on Kafka. The LES application can be installed from the ServiceNow Store.

LES forwards a copy of the log events as they are generated to the Hermes Messaging Service so that your SIEM can consume them. This is accomplished by using a dedicated MID Server, a Kafka connecter (like Splunk), or  directly from your Kafka system.

More information on LES:

https://www.servicenow.com/docs/bundle/xanadu-platform-security/page/administer/log-export-service/c...

I came across your question during a Google search and realized no one spelled out the solution for you. I am not an SME, but I am a Staff Technical Writer at ServiceNow.