The applications required for this integration are available on the ServiceNow Store. Some applications have dependencies that you must download and install separately.

Before you begin

Role required: admin for download, installation, and activation of all applications.

Procedure

  1. Download the required applications from the ServiceNow Store into your ServiceNow instance.

    The Security Posture Control (SPC Core) application provides the core framework and is required for Asset Security Posture Management (ASPM). The Configuration Compliance application and its dependencies permit you to create remediation tasks for the security control gaps you find using Asset Security Posture Management.

    Table 1. Asset Security Posture Management applications
    Application App ID
    Asset Security Posture Management (Plugin id: sn_sec_caasm)
    ITOM Discovery License (Plugin id: com.snc.itom.discovery.license)
    Security Posture Control Core (Plugin id: sn_sec_spc_core)
    Mitigation Controls Monitoring (Plugin id: sn_sec_mit_ctr)
    Configuration Compliance (includes child app secops_shared_components)  (Plugin id: sn_vulc)
    Vulnerability Response Licensing and Usage (Plugin id: sn_vul_licensing)
    Table 2. Cloud Security Posture Management applications
    Application App ID
    Discovery Plugin (Plugin id: com.snc.discovery)
    Cloud Configuration Governance (Plugin id: sn_itom_ccg)
    CCG Content Pack (Plugin id: sn_itom_ccg_cp)
    CMDB CI Class Models (Plugin id: sn_cmdb_ci_class)
    Cloud Action Library (Plugin id: com.sn.itom.cal)
    For more information about downloading and activating applications, see the following topics:
  2. After you have downloaded the applications, navigate to All > System Applications > All Available Applications > All.
  3. Locate the applications that you downloaded and select Install to activate them along with their dependencies.
    Any dependency applications that are also installed automatically along with an application are displayed in the Application installation dialog. However, if you are prompted to install dependency plugins during the installation, follow the prompts provided. Verify you have all the applications and dependencies listed in the previous table installed and activated.

    A dialog is displayed after an application is successfully activated.

    For more information about downloading and installing applications from the ServiceNow Store:
  4. After you have installed and activated the applications, assign users to the following Security Posture Control groups:

    These groups inherit all the roles necessary to read and edit SPC records.

    SPC Admin Group
    Users in this group have full read and write access to all the records for the product, including licensing information. Granular roles for this group include: [sn_sec_caasm.analyst, sn_sec_caasm.caasm_security_admin, and sn_sec_spc_core.configure].
    SPC Analyst Group
    Users in this group have full read and write access to all the records for the product but cannot view licensing information. Granular roles for this group include [pa_power_user and sn_sec_spc_core.analyst].
    SPC Analyst Read Only Group
    Users in this group have full read access to all the records for the product but cannot view licensing information. Granular roles for this group include [pa_power_user, sn_sec_spc_core.analyst_read, sn_sec_caasm.read, and cmdb_ms_user].
    Supporting application roles
    The following roles are required by the applications listed in the preceding table that support SPC and Asset Security Posture Management.
    • Configuration Compliance Admin [sn_vulc.admin] - Configures the Configuration Compliance application, has visibility to all records, and can modify properties. Assigns roles in the Configuration Compliance application.
    • Vulnerability Response Admin [sn_vulc.admin] - Configures the Vulnerability Response application and the vulnerability risk calculators.
    • MID Server [mid_server] - Configures a MID Server.
  5. (Optional) Set the ignoreCIClass [sn_sec_cmn.ignoreCIClass] system property to ignore some configuration item (CI) classes when running CI Lookup Rules.

    As an SPC Admin and SPC Analyst, you might need to ignore certain hardware or virtual classes so that you do not ingest information about assets you do not want to control. See Create a Vulnerability Response CI lookup rule and Ignore CI classes for more information.

  6. Modify reconcilation and recompute CMDB data sources to set the source of truth for attribute values.

    The CMDB 360 dashboard provides aggregations and analysis of CMDB 360 data. CMDB 360 collects data about all the discovery sources reporting attribute values for CIs. Use the CMDB 360 view in Configuration Management Database (CMDB) Workspace to track activities and identify potential issues of discovery sources. See CMDB 360 view in CMDB Workspace for more information.